Alchemix Transmuter
Alchemix
DeFiFoundrySolidity
16,653 OP
View results
Previous Next
Submission Details
Severity: low
Invalid

# Missing Upper Bound on Routes Could Lead to Gas Inefficiencies

gaurav11018

Summary

The StrategyMainnet contract's addRoute function allows unlimited addition of routes without any maximum limit. While not a critical issue, implementing a reasonable upper bound would improve gas efficiency and follow best practices.

Vulnerability Details

function addRoute(
address[11] calldata _route,
uint256[5][5] calldata _swapParams,
address[5] calldata _pools
) external onlyManagement {
routes[nRoutes] = _route;
swapParams[nRoutes] = _swapParams;
pools[nRoutes] = _pools;
nRoutes++; // No maximum limit
}

Each route stores significant data:

  • 11 addresses for route (220 bytes)

  • 25 uint256s for swap params (800 bytes)

  • 5 addresses for pools (100 bytes)
    Total: ~1120 bytes per route

Impact

  1. While not a DOS concern (even 50 routes wouldn't approach block gas limits), unnecessary routes increase gas costs for:

    • Storage costs when adding routes

    • Slightly higher gas when accessing route data in claimAndSwap

  2. No cleanup mechanism for outdated routes

Recommendation

Add a reasonable maximum route limit based on expected usage:

uint256 public constant MAX_ROUTES = 10; // Reasonable limit for different pools
function addRoute(...) external onlyManagement {
require(nRoutes < MAX_ROUTES, "Max routes reached");
routes[nRoutes] = _route;
swapParams[nRoutes] = _swapParams;
pools[nRoutes] = _pools;
nRoutes++;
}

The limit of 10 routes should be more than sufficient for managing different Curve pool routes while maintaining gas efficiency.

Updates

Appeal created

inallhonesty Lead Judge 6 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
inallhonesty Lead Judge 6 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.