Alchemix Transmuter

Alchemix

DeFiFoundrySolidity

16,653 OP

View results

Previous Next

Submission Details

Severity: medium

Invalid

No Mechanism to Recover Non-Asset Tokens

cipherhawk

Issue: No Mechanism to Recover Non-Asset Tokens

Description

The strategy currently does not provide a way to recover tokens that are neither the main asset nor the underlying token. If any third-party tokens (e.g., from airdrops or user errors) are sent to the strategy contract, they remain locked indefinitely.

Impact: Medium

Permanent Loss of Accidental Deposits

Users who mistakenly send other tokens to the strategy have no recourse to retrieve them.
Accumulation of Unclaimed Tokens

Over time, random airdrops or transfers can accumulate, potentially locking up valuable assets.
Operational Inefficiency

Administrators or the protocol treasury have no means to reclaim these tokens, resulting in unrealized or wasted value.

Evidence / Code Context

There is no dedicated function like rescueTokens or sweepToken in the strategy contracts:

// No function similar to:

// function rescueTokens(address token, uint256 amount, address to) external onlyManagement { ... }

Without such a method, non-asset tokens sent to the strategy remain inaccessible.

Potential Scenarios

User Error
- A user accidentally transfers an ERC20 token to the strategy address, assuming it supports all tokens. The token is now stuck.
Airdrop / Fork Tokens
- The strategy might unexpectedly receive tokens from contract upgrades or fork events with no way to move or swap them.
No Administrative Retrieval
- Even if the management wants to send these stray tokens to the protocol treasury, there is no built-in function to do so.

Recommended Mitigations

Add a Rescue Function

function rescueTokens(address _token, uint256 _amount, address _to) external onlyManagement {
require(_token != address(asset), "Cannot rescue main asset");
require(_token != address(underlying), "Cannot rescue underlying");
IERC20(_token).transfer(_to, _amount);
}
- Ensures only management can call it, protecting core assets while allowing recovery of unintended tokens.
Implement Basic Checks
- Prevent the function from rescuing the primary asset or underlying tokens so normal operations remain unaffected.
Audit / Monitoring
- Emit an event whenever tokens are rescued to enable on-chain traceability:
  
  emit TokensRescued(_token, _amount, _to);

Updates

Appeal created

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

16,653 OP

nSLOC

253

66 OP / LOC

High Medium

15,800

Low

853

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.