Blog Post

High Risk Vulnerability Disclosed to Alchemix

August 13, 2021

## Introduction

On June 14 2021, [Ashiq Amien](https://twitter.com/AshiqAmien), a security researcher at iosiro, identified a high-risk vulnerability in Alchemix. An attacker could exploit this vulnerability to prevent all legitimate actors from collecting the contract's associated yield. The bug was disclosed to the Alchemix team through [Immunefi](https://immunefi.com/) for a bug bounty of $7,500 ([debrief](https://medium.com/immunefi/alchemix-access-control-bug-fix-debrief-a13d39b9f2e0)).

## Bug Details

Alchemix is a DeFi protocol that allows for the creation of synthetic tokens representing the future yield of a deposit. The vulnerability was identified in the`AlchemistEth` contract, which  was responsible for minting synthetic tokens and managing interactions with the vaults. [In the implementation](https://github.com/alchemix-finance/alchemix-protocol/blob/0261dd5a23c63aaa354d56f506701a6fa79cfe1f/contracts/AlchemistEth.sol#L358), the `setWhitelist()` function was found to not have any access control and could be called by an arbitrary address.

<pre>
<code class="language-solidity">
function setWhitelist(address[] calldata accounts, bool[] calldata flags) external {
   uint256 numAccounts = accounts.length;
   for (uint256 i = 0; i < numAccounts; i++) {
     whitelist[accounts[i]] = flags[i];
   }
   emit WhitelistSet(accounts, flags);
 }

</code>
</pre>

This allowed an attacker to modify the whitelist that controlled access to the `harvest()` and  `flush()` functions. As a result, the attacker could either deny legitimate access to the functions or permit illegitimate addresses.

In order to properly mitigate the issue, validation should be included to control access to the `setWhitelist()` function, either by using the `onlyGov` modifier or by including the following check:

<pre>
<code class="language-solidity">
require(msg.sender == governance || msg.sender == sentinel, "Invalid address");
</code>
</pre>

## Conclusion

Thanks to the team at [Immunefi](https://immunefi.com/) for their support during the disclosure and remediation process, and to [Alchemix](https://alchemix.fi/) for using the bug bounty program to encourage responsible disclosure of security issues .

As an additional precaution to bug bounties, we recommend that projects undergo external audits of their systems before going to production. If you’d like to get your smart contracts audited by an experienced team, reach out to us at hello@iosiro.com.

Secure your system.
Request a service
Start Now