Alchemix Transmuter
Alchemix
DeFiFoundrySolidity
16,653 OP
View results
Previous Next
Submission Details
Severity: low
Invalid

# Missing Upper Bound on Routes Could Lead to Gas Inefficiencies

gaurav11018

Summary

The StrategyMainnet contract's addRoute function allows unlimited addition of routes without any maximum limit. While not a critical issue, implementing a reasonable upper bound would improve gas efficiency and follow best practices.

Vulnerability Details

function addRoute(
address[11] calldata _route,
uint256[5][5] calldata _swapParams,
address[5] calldata _pools
) external onlyManagement {
routes[nRoutes] = _route;
swapParams[nRoutes] = _swapParams;
pools[nRoutes] = _pools;
nRoutes++; // No maximum limit
}

Each route stores significant data:

  • 11 addresses for route (220 bytes)

  • 25 uint256s for swap params (800 bytes)

  • 5 addresses for pools (100 bytes)
    Total: ~1120 bytes per route

Impact

  1. While not a DOS concern (even 50 routes wouldn't approach block gas limits), unnecessary routes increase gas costs for:

    • Storage costs when adding routes

    • Slightly higher gas when accessing route data in claimAndSwap

  2. No cleanup mechanism for outdated routes

Recommendation

Add a reasonable maximum route limit based on expected usage:

uint256 public constant MAX_ROUTES = 10; // Reasonable limit for different pools
function addRoute(...) external onlyManagement {
require(nRoutes < MAX_ROUTES, "Max routes reached");
routes[nRoutes] = _route;
swapParams[nRoutes] = _swapParams;
pools[nRoutes] = _pools;
nRoutes++;
}

The limit of 10 routes should be more than sufficient for managing different Curve pool routes while maintaining gas efficiency.

Updates

Appeal created

inallhonesty Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
inallhonesty Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.