Open code423n4 opened 2 years ago
0xfoobar
commented
2 years ago Sponsor acknowledged
Given that the gALCX deployment has 412 unique tokenholders on mainnet, this series of events is extraordinarily unlikely to occur. But we will keep it in mind for future deployments.
0xleastwood
commented
2 years ago Nice find! Early stakers can DoS new contract deployments, making it impossible for other users to participate in the protocol. As this does not lead to lost funds and is recoverable through redeployment, I believe medium severity to be justified by the warden.
Lines of code
https://github.com/code-423n4/2022-05-alchemix/blob/main/contracts-hardhat/gALCX.sol#L73-L76
Vulnerability details
Impact
An attacker can make the contract unusable when totalSupply is 0. Specifically,
bumpExchangeRatefunction does not work correctly which results in makingstake,unstakeandmigrateSourcefunctions that do not work as expected.Proof of Concept
Here are steps on how the
gALCXcontract can be unusable.gALCXcontract is deployedThe attacker sends the
ALCXtoken to the deployedgALCXcontract directly instead of usingstakefunction so that the followingbalancevariable has value.https://github.com/code-423n4/2022-05-alchemix/blob/main/contracts-hardhat/gALCX.sol#L73-L75
ALCXtoken is given to thegALCXcontract directly,totalSupply == 0andalcx.balanceOf(address(this)) > 0becomes true.https://github.com/code-423n4/2022-05-alchemix/blob/main/contracts-hardhat/gALCX.sol#L76
Non attackers try to call
stakefunction, butbumpExchangeRatefunction fails because of(balance * exchangeRatePrecision) / totalSupplywhen totalSupply is 0.Owner cannot call
migrateSourcefunction sincebumpExchangeRatewill be in the same situation mentioned in the step4 aboveTools Used
Static code analysis
Recommended Mitigation Steps
Add handling when
totalSupplyis 0 butalcx.balanceOf(address(this))is more than 0.