Alchemix Transmuter

Alchemix

DeFiFoundrySolidity

16,653 OP

View results

Previous Next

Submission Details

Severity: medium

Invalid

Missing addRoute functionality in StrategyOp.sol and StrategyArb.sol

tanishqsharma612

Vulnerability Details

In StrategyOp.sol and StrategyArb.sol, there is no function that allows to add routes for token swap or sets the routes for token swap.

For example: In StrategyMainnet.sol , its having a function named as addRoute

function addRoute(

address[11] calldata _route,

uint256[5][5] calldata _swapParams,

address[5] calldata _pools

) external onlyManagement {

routes[nRoutes] = _route;

swapParams[nRoutes] = _swapParams;

pools[nRoutes] = _pools;

nRoutes++;

}

Allows to add a new path to be passed into Router for swap.

Impact:

The current design relies on the keeper to supply the swap path (_path) during the claimAndSwap function. If this path is incorrect or malicious, it could cause:

Inefficient swaps.
Loss of funds.
Direct exploitation by routing swaps to malicious pools.

Tools Used

Manual Review

Recommendations

Introduce a function for authorized actors (e.g., onlyManagement) to add or update paths for the Ramses Router. A function similar to addRoute implemented in StrategyMainnet.sol can be added to StrategyOp.sol and StrategyArb.sol .

Updates

Appeal created

inallhonesty Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

16,653 OP

nSLOC

253

66 OP / LOC

High Medium

15,800

Low

853

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.