Alchemix Transmuter

Alchemix

DeFiFoundrySolidity

16,653 OP

View results

Previous Next

Submission Details

Severity: medium

Invalid

No Guard Against Zero Addresses in `setRouter`

cipherhawk

Description

When calling setRouter, the contract assigns router to the provided _router parameter and grants it an unlimited allowance (type(uint256).max). There is no check ensuring _router is a valid, nonzero, deployed contract address.

Impact: Medium

Potential Misconfiguration:
- Accidentally setting router to address(0) causes subsequent approvals to point to an invalid address, breaking the strategy’s swap functionality.
Operational Failures:
- Calls to external swap functions will fail or revert if router is address(0) or a non-contract address (no code at that address).
Downtime / Reduced User Confidence:
- If the protocol depends on successful swaps, incorrectly setting the router disrupts user deposits, withdrawals, or yield operations until corrected.

Evidence from Code

function setRouter(address _router) external onlyManagement {

router = _router; // No check if _router != address(0)

underlying.safeApprove(router, type(uint256).max);

}

The contract does not verify _router is a valid contract or even a nonzero address.

Attack / Failure Scenario

Malicious or Accidental Assignment:
- The management (or a compromised management key) sets router to address(0) or any other invalid address.
Invalid Approval:
- The contract grants underlying.safeApprove(router, type(uint256).max), but router is not a functional contract.
Functional Breakage:
- When the strategy attempts to perform swaps or claims, the calls revert or do nothing. The protocol’s operations are effectively frozen until a valid router is set again.

Note that while this specific mistake doesn’t directly allow an attacker to drain funds (like an approval to a malicious contract), it can cause a severe denial-of-service on swapping functionality, harming user experience and protocol reliability.

Recommended Mitigations

Validate Nonzero Address

require(_router != address(0), "Router cannot be zero address");
- A simple check ensures you never set router to address(0).
Check extcodesize to Confirm Deployed Contract

uint256 codeSize;
assembly {
codeSize := extcodesize(_router)
}
require(codeSize > 0, "Router must be a contract");
- Ensures _router is a live, deployed contract rather than an EOA (Externally Owned Account) or empty address.
Consider a Timelock / Multi-Sig for Router Changes
- Prevents quick or unauthorized updates to such a critical piece of infrastructure.

Updates

Appeal created

inallhonesty Lead Judge 8 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

inallhonesty Lead Judge 8 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

16,653 OP

nSLOC

253

66 OP / LOC

High Medium

15,800

Low

853

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.