Alchemix Transmuter
Alchemix
DeFiFoundrySolidity
16,653 OP
View results
Previous Next
Submission Details
Severity: medium
Invalid

Deposit Discrepancy in claimAndSwap Function Leading to Potential Fund Mismanagement

mbushbush

Code Snippets

https://github.com/Cyfrin/2024-12-alchemix/blob/82798f4891e41959eef866bd1d4cb44fc1e26439/src/StrategyOp.sol#L88

Summary

The claimAndSwap function incorrectly deposits the entire alETH balance of the strategy contract instead of the swapped amount, potentially causing unexpected losses or mismanagement of protocol funds.

Vulnerability Details

claimAndSwap function deposits the whole asset balance into transmuter as following:

function claimAndSwap(uint256 _amountClaim, uint256 _minOut, IVeloRouter.route[] calldata _path ) external onlyKeepers {
...
require((balAfter - balBefore) >= _minOut, "Slippage too high");
--> transmuter.deposit(asset.balanceOf(address(this)), address(this));
}

The function calculates the token balance difference before and after the swap to enforce slippage limits, but in the end incorrectly deposits the contract’s entire token balance into the transmuter, rather than just the swapped amount.

This mistake leads to unintended deposits of pre-existing tokens, causing inaccurate accounting and reducing operational flexibility by unnecessarily locking excess funds in the transmuter.

Impact

Unintended deposits of pre-existing tokens could lock excess funds in the transmuter, risking potential asset mismanagement and loss of control over critical reserves.

Tools Used

Manual Review

Recommendations

Modify the transmuter.deposit line to only count the increased balance.

Updates

Lead Judging Commences

inallhonesty Lead Judge
8 months ago

Appeal created

inallhonesty Lead Judge 8 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.