Alchemix Transmuter
Alchemix
DeFiFoundrySolidity
16,653 OP
View results
Previous Next
Submission Details
Severity: medium
Invalid

Absence of Oracle in `_swapUnderlyingToAsset` Potentially Leads to Inaccurate Pricing and Exploitation

eta

Summary

The _swapUnderlyingToAsset function currently lacks integration with a price oracle, relying only on a basic comparison of input and output amounts in the contracts of StrategyArb.sol and src/StrategyOp.sol. This omission introduces risks of inaccurate pricing, potential manipulation, and suboptimal execution.

Vulnerability Details

src/StrategyArb.sol:_swapUnderlyingToAsset#L82-L83
src/StrategyOp.sol:_swapUnderlyingToAsset#L82-L83

function _swapUnderlyingToAsset(
uint256 _amount,
uint256 minOut,
IVeloRouter.route[] calldata _path
) internal {
// TODO : we swap WETH to ALETH -> need to check that price is better than 1:1
// uint256 oraclePrice = 1e18 * 101 / 100; // Placeholder for future oracle integration
// @audit lack of oracle validation
require(minOut > _amount, "minOut too low");
uint256 underlyingBalance = underlying.balanceOf(address(this));
require(underlyingBalance >= _amount, "not enough underlying balance");
IVeloRouter(router).swapExactTokensForTokens(
_amount,
minOut,
_path,
address(this),
block.timestamp // Deadline set to the current block time
);
}

The function does not validate minOut against an oracle price, leaving it vulnerable to inaccurate or manipulated pricing. TODO comments indicate plans for oracle integration to ensure prices are better than 1:1.

The condition require(minOut > _amount) ensures only a basic ratio check but lacks depth in price validation.

Impact

  • Users may suffer financial losses due to execution at unfavorable prices or manipulated swaps.

  • The absence of an oracle check exposes the function to price manipulation and potential exploits by malicious actors.

  • Failure to validate prices accurately undermines the protocol’s trustworthiness and reliability.

  • The lack of price protection can lead to suboptimal swaps, damaging user confidence.

Recommendations

Implement a price oracle to validate minOut against a reference price:

contract ImprovedStrategy {
// 1. Add oracle price check
function _swapUnderlyingToAsset(
uint256 _amount,
uint256 minOut,
IVeloRouter.route[] calldata _path
) internal {
// Retrieve the oracle price
uint256 oraclePrice = oracle.getPrice();
// Calculate the acceptable price range
uint256 minPrice = oraclePrice * 98 / 100; // Allow a 2% lower deviation
uint256 maxPrice = oraclePrice * 102 / 100; // Allow a 2% higher deviation
// Check if the swap price is within the safe range
uint256 swapPrice = (_amount * 1e18) / minOut;
require(
swapPrice >= minPrice && swapPrice <= maxPrice,
"Price outside safe range"
);
// Execute the token swap
IVeloRouter(router).swapExactTokensForTokens(
_amount,
minOut,
_path,
address(this),
block.timestamp
);
}
}
Updates

Lead Judging Commences

inallhonesty Lead Judge
8 months ago

Appeal created

inallhonesty Lead Judge 8 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.