Immunefi
Published in

Immunefi

Alchemix Access Control Bugfix Review

Summary

Whitehat Ashiq Amien, security researcher at the auditing firm iosiro, discovered a vulnerability in Alchemix on June 16, which consisted of an access control issue. The vulnerability was given a severity rating of “high.” Alchemix rewarded Ashiq a bounty of $7,500, paid to iosiro at request. Funds at risk were very low, though if the bug had remained undetected and unpatched, it’s possible that it would have become a much bigger issue down the line for future Alchemix strategies. Alchemix has patched the vulnerability. We’d like to congratulate Ashiq for using his auditing skills to moonlight as a bounty hunter and picking up rep not only for himself, but for iosiro as well. Ashiq previously picked up a bounty of $42,069 from 88mph.

Vulnerability Analysis

Alchemix is a protocol that provides instant loans which pay themselves off over time through future yield. Users can deposit DAI, and the protocol in turn mints the users alUSD, which is a synthetic token that tokenizes future yield. The yield comes from collateral that is deposited in yearn.finance vaults, which incidentally is a key aspect of what ultimately prevented this vulnerability from being disastrous. This yield from the yearn.finance vault repays the advance over time.

As part of the process, alUSD can be transmuted 1-to-1 back into DAI or traded on a decentralized exchange.

The actual problem, however, was present in the contract in the function . Any user could have called to give an attacker the ability to call the harvest function (harvesting the yield of any vault) or to call the flush function (depositing all buffered tokens to the active vault). While these two actions are relatively harmless, an attacker could also front-run the intended keeper addresses to block and from being called, effectively causing a denial of service.

However, because Alchemix wraps a yearn vault and yearn vaults have robust safeguards in place regarding forced withdrawals causing unexpected losses, estimated losses from this attack are approximately $300, despite the fact that about 1,450 ETH is deposited into that Alchemix contract, which is then custodied in yearn.

Vulnerability Fix:

The Alchemix team added an modifier and changed the function name to , so that only governance can whitelist addresses to call and .

Acknowledgements

We’d like to thank the Alchemix team for their rapid and effective response to the bug report. Alchemix paid out a bounty of $7,500 to the whitehat. We’d like to thank Ashiq and iosiro for venturing into the bug bounty space and making a name for themselves. To report additional vulnerabilities, please see Alchemix’s bug bounty program with Immunefi. If you’re interested in protecting your project with a bug bounty like Alchemix, visit the Immunefi services page and fill out the form.

P.S. Hackers subscribed to our newsletter are 35.8% more likely to earn a bug bounty. Click here to sign up.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Immunefi

Immunefi is the premier bug bounty platform for smart contracts, where hackers review code, disclose vulnerabilities, get paid, and make crypto safer.