56516 sc high allocate assets in killswitch mode can lead to assets stuck on contract

Submitted on Oct 17th 2025 at 07:24:05 UTC by @ox9527 for Audit Comp | Alchemix V3

• Report ID: #56516

• Report Type: Smart Contract

• Report severity: High

• Target: https://github.com/alchemix-finance/v3-poc/blob/immunefi_audit/src/MYTStrategy.sol

• Impacts:

  • Permanent freezing of funds

Description

Brief/Intro

The MYTStrategy.sol::allocate() function is invoked by two functions within the Morpho V2 vault:

• VaultV2.sol::mint() -> enter() -> allocateInternal() -> allocate()

• VaultV2.sol::allocate() -> allocateInternal() -> allocate()

Note that mint() is a public function, while allocate() can only be called by users with the Allocator role.

In MYTStrategy.sol::allocate(), there is a kill switch / emergency mode. When the kill switch is active (killSwitch == true), the function immediately returns without performing any allocation logic:

    function allocate(bytes memory data, uint256 assets, bytes4 selector, address sender)
        external
        onlyVault
        returns (bytes32[] memory strategyIds, int256 change)
    {
        if (killSwitch) {
            return (ids(), int256(0));  <@
        }

However, in both mint() and allocate() flows, before calling allocate(), the vault already transfers assets to the strategy via allocateInternal:

As a result, when the kill switch is active, the assets are transferred from the vault to MYTStrategy.sol, but since allocate() returns (ids(), 0), the assets are never utilized or recorded, leading to them becoming stuck in the MYTStrategy.sol contract.

Vulnerability Details

Above

Impact Details

assests stuck in contract when allocate() is called by public users/Allocator

References

https://github.com/alchemix-finance/v3-poc/blob/immunefi_audit/src/MYTStrategy.sol?utm_source=immunefi#L107-L109

Proof of Concept

Proof of Concept

add test to file AlchemistAllocator.t.sol