Summary
Whitehat Ashiq Amien, security researcher at the auditing firm iosiro, discovered a vulnerability in Alchemix on June 16, which consisted of an access control issue. The vulnerability was given a severity rating of “high.” Alchemix rewarded Ashiq a bounty of $7,500, paid to iosiro at request. Funds at risk were very low, though if the bug had remained undetected and unpatched, it’s possible that it would have become a much bigger issue down the line for future Alchemix strategies. Alchemix has patched the vulnerability. We’d like to congratulate Ashiq for using his auditing skills to moonlight as a bounty hunter and picking up rep not only for himself, but for iosiro as well. Ashiq previously picked up a bounty of $42,069 from 88mph.
Vulnerability Analysis
Alchemix is a protocol that provides instant loans which pay themselves off over time through future yield. Users can deposit DAI, and the protocol in turn mints the users alUSD, which is a synthetic token that tokenizes future yield. The yield comes from collateral that is deposited in yearn.finance vaults, which incidentally is a key aspect of what ultimately prevented this vulnerability from being disastrous. This yield from the yearn.finance vault repays the advance over time.
As part of the process, alUSD can be transmuted 1-to-1 back into DAI or traded on a decentralized exchange.
The actual problem, however, was present in the AlchemistEth.sol contract in the function setWhitelist(). Any user could have called setWhitelist() to give an attacker the ability to call the harvest function (harvesting the yield of any vault) or to call the flush function (depositing all buffered tokens to the active vault). While these two actions are relatively harmless, an attacker could also front-run the intended keeper addresses to block harvest() and flush() from being called, effectively causing a denial of service.
However, because Alchemix wraps a yearn vault and yearn vaults have robust safeguards in place regarding forced withdrawals causing unexpected losses, estimated losses from this attack are approximately $300, despite the fact that about 1,450 ETH is deposited into that Alchemix contract, which is then custodied in yearn.
Vulnerability Fix
The Alchemix team added an onlyGov modifier and changed the function name to setKeepers(), so that only governance can whitelist addresses to call harvest() and flush().
Acknowledgements
We’d like to thank the Alchemix team for their rapid and effective response to the bug report. Alchemix paid out a bounty of $7,500 to the whitehat. We’d like to thank Ashiq and iosiro for venturing into the bug bounty space and making a name for themselves.
If you’d like to start bug hunting, we got you. Check out the Web3 Security Library, and start earning rewards on Immunefi — the leading bug bounty platform for web3 with the world’s biggest payouts.
To report additional vulnerabilities, please see Alchemix’s bug bounty program with Immunefi. If you’re interested in protecting your project with a bug bounty like Alchemix, visit the Immunefi services page and fill out the form.
