Alchemix Transmuter

Summary

The setRouter(address _router) function in the StrategyOp contract lacks a zero-address validation check. This allows the router to be set to the zero address (address(0)), which could break the contract's core functionality, including swapping operations.

Vulnerability Details

Missing Zero-Address Validation

• Function Affected: setRouter(address _router)

• Issue: The function assigns _router directly to the router state variable without checking if _router is a valid non-zero address:

Reason for concern:

• The router is a critical dependency for swap operations via _swapUnderlyingToAsset() and other functions in the strategy.

• Setting the router to address(0)would result in calls to the zero address, which would revert, rendering the contract inoperable for its intended purpose.

Likelihood

While the function is restricted by the onlyManagement modifier, accidental misconfiguration or intentional misuse by a compromised management account could result in setting router to address(0).

Impact

Core functionality broken:

• Swapping operations that rely on router (e.g., _swapUnderlyingToAsset) would fail because calls to the zero address (address(0)) revert by default.

• This would render the strategy unable to execute swaps, leading to downtime or stranded funds.

Potential Financial Losses:

• Funds already deployed in the strategy might not be recovered due to the inability to manage or withdraw them effectively.

Operational Downtime:

• The entire strategy could become non-functional until router is updated to a valid address.

Tools Used

Manual code review, Slither, AI

Recommendations

Add Zero Address Validation

Verify Router is a contract address