56673 sc high zero cost fee farming via forced earmarked repayment

Submitted on Oct 19th 2025 at 08:51:34 UTC by @failsafe_intern for Audit Comp | Alchemix V3

Report ID: #56673
Report Type: Smart Contract
Report severity: High
Target: https://github.com/alchemix-finance/v3-poc/blob/immunefi_audit/src/AlchemistV3.sol
Impacts:
- Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield

Description

Vulnerability Overview

Any external caller can repeatedly trigger forced earmarked debt repayment on accounts with positive earmarked debt and receive repayment fees directly from victim collateral, even when providing zero capital. This enables continuous fee extraction from all borrowers with earmarked debt.

Root Cause

AlchemistV3.sol:585-598 - _liquidate() pays repayment fees to callers even for zero-capital forced repayments:

// LINE 585-593: Pay fee when debt reaches zero after earmark repayment
if (account.debt == 0) {
    feeInYield = _resolveRepaymentFee(accountId, repaidAmountInYield);
    TokenUtils.safeTransfer(myt, msg.sender, feeInYield);
    return (repaidAmountInYield, feeInYield, 0);
}

// LINE 595-598: Pay fee when account becomes healthy after earmark repayment
} else {
    feeInYield = _resolveRepaymentFee(accountId, repaidAmountInYield);
    TokenUtils.safeTransfer(myt, msg.sender, feeInYield);
    return (repaidAmountInYield, feeInYield, 0);
}

AlchemistV3.sol:548-555 - _resolveRepaymentFee() extracts fee from victim collateral:

function _resolveRepaymentFee(uint256 accountId, uint256 repaidAmountInYield) internal returns (uint256 fee) {
    Account storage account = _accounts[accountId];
    fee = repaidAmountInYield * repaymentFee / BPS;
    account.collateralBalance -= fee > account.collateralBalance ? account.collateralBalance : fee;
    return fee;
}

AlchemistV3.sol:765-797 - _forceRepay() uses victim's own collateral for repayment:

function _forceRepay(uint256 accountId, uint256 amount) internal returns (uint256) {
    // ... validation ...
    uint256 creditToYield = convertDebtTokensToYield(credit);
    _subDebt(accountId, credit);
    earmarkToRemove = credit > account.earmarked ? account.earmarked : credit;
    account.earmarked -= earmarkToRemove;
    creditToYield = creditToYield > account.collateralBalance ? account.collateralBalance : creditToYield;
    account.collateralBalance -= creditToYield;  // Uses victim's collateral
    // ... protocol fee deduction ...
}

The code does not distinguish between liquidations requiring capital injection and forced earmark repayments using victim's own collateral. Both code paths pay the same repayment fee to msg.sender.

Attack Flow

Precondition: Target account has earmarked > 0 (accumulated through transmuter redemptions)
Attacker Action: Call liquidate(accountId) with zero capital
Line 484: _liquidate() calls _forceRepay() if account.earmarked > 0
Line 765-797: _forceRepay() repays earmarked debt using victim's collateral
Line 585-598: If account becomes healthy or debt reaches zero, pay repayment fee
Line 548-555: _resolveRepaymentFee() deducts repaymentFee% from victim's collateral
Line 590/598: Fee transferred to msg.sender (attacker)
Result: Attacker receives fee without providing any capital
Repeat: Attack continues as new earmarks accumulate

Impact

Economic Loss: Continuous collateral drain from all borrowers with earmarked debt.

Attack Specifics:

Capital Required: 0 (attacker provides no repayment funds)
Fee Earned: repaymentFee% of earmarked amount (e.g., 1% of 10 ETH = 0.1 ETH per harvest)
Gas Cost: ~150k-300k per liquidate() call
Repeatability: Unlimited, as earmarks continuously accrue via transmuter
Scale: Affects all users with earmarked > 0

Attack Economics:

If repaymentFee = 1% and typical earmarked debt is 10 ETH worth
Attacker extracts 0.1 ETH worth of MYT per call
With gas at 50 gwei, cost is ~0.0075-0.015 ETH
Net profit: 0.085-0.0925 ETH per harvest (~10-12x gas cost)
Scales across hundreds of accounts

System-Wide Impact:

Perverse incentive: Attackers harvest from healthy accounts rather than liquidate unhealthy ones
Legitimate liquidations become less profitable (opportunity cost)
User collateral drained over time through repeated harvesting
Protocol reputation damage from unexpected fee extraction

Link to Proof of Concept

https://gist.github.com/Joshua-Medvinsky/b10216c271f32985695adf87e20fd78b

Proof of Concept

3. Proof of Concept

Step-by-Step Reproduction

Setup:

// Deploy AlchemistV3 with repaymentFee = 100 BPS (1%)
// User account setup:
accountId = 1
account.collateralBalance = 100 ETH worth of MYT
account.debt = 50 ETH worth
account.earmarked = 10 ETH worth (accumulated from transmuter)
account.collateralizationRatio = 200% (HEALTHY)

Step 1: Attacker Harvests Fee Without Capital

// Attacker calls (providing ZERO capital):
AlchemistV3.liquidate(accountId);

// Execution path:
// 1. liquidate() → _liquidate(accountId)
// 2. _liquidate() checks: account.earmarked > 0 ✅
// 3. _liquidate() calls: _forceRepay(accountId, account.earmarked)

Step 2: Forced Repayment Using Victim's Collateral

// LINE 765-797: _forceRepay() executes:
uint256 creditToYield = convertDebtTokensToYield(10 ETH) = 10 MYT
_subDebt(accountId, 10 ETH)  // debt: 50 → 40 ETH
account.earmarked = 0
account.collateralBalance -= 10 MYT  // collateral: 100 → 90 MYT

// CRITICAL: Repayment used victim's own collateral (not attacker's capital)

Step 3: Fee Extracted from Victim

// LINE 585-598: Check if account is now healthy
account.collateralizationRatio = (90 MYT / 40 debt) = 225% > lowerBound

// Account is healthy, so LINE 595-598 executes:
feeInYield = _resolveRepaymentFee(accountId, 10 MYT)

// LINE 548-555: Calculate fee
fee = 10 MYT * 100 BPS / 10000 = 0.1 MYT (1%)
account.collateralBalance -= 0.1 MYT  // collateral: 90 → 89.9 MYT

// LINE 598: Transfer fee to attacker
TokenUtils.safeTransfer(myt, msg.sender, 0.1 MYT)

Result:

// Attacker balance: +0.1 MYT
// Attacker capital used: 0
// Victim collateral: -10.1 MYT (10 for repayment + 0.1 fee)
// Victim debt: -10 ETH worth
// Net effect: Attacker profited 0.1 MYT with ZERO capital

Step 4: Repeat Attack

// After more earmarks accumulate (e.g., 5 ETH worth):
AlchemistV3.liquidate(accountId);

// Another 0.05 MYT fee extracted (1% of 5 ETH)
// Attack repeats indefinitely as earmarks continuously accrue

Validation Steps

Expected Behavior: Repayment fees should only be paid when external party provides capital to liquidate unhealthy positions.

Actual Behavior: Fees are paid even when:

No capital is provided by caller
Repayment uses victim's own collateral
Account is healthy (not underwater)
Only earmarked debt is being burned

Code References

Vulnerable Functions:

Fee payment: _liquidate() at lines 585-598 (AlchemistV3.sol)
Fee calculation: _resolveRepaymentFee() at lines 548-555 (AlchemistV3.sol)
Forced repayment: _forceRepay() at lines 765-797 (AlchemistV3.sol)
Entry point: liquidate() at line 495 (AlchemistV3.sol)

Critical Logic Flaw: The code does not check whether the liquidation required external capital. Both code paths (actual liquidation vs forced earmark repayment) execute the same fee payment logic at lines 585-598.

Proof of Concept (GitHub Gist)

Complete Foundry POC: https://gist.github.com/Joshua-Medvinsky/b10216c271f32985695adf87e20fd78b

The gist contains:

AlchemistV3Harness.sol - Vulnerable code extracted from AlchemistV3.sol (lines 548-889)
MockContracts.sol - Mock MYT token and Transmuter for isolated testing
ECON_C001_POC.t.sol - 7 comprehensive tests demonstrating the attack
foundry.toml - Forge configuration
README.md - Setup instructions and detailed analysis

Test Results: ✅ All tests passing

Test demonstrates attacker extracting 0.1 MYT fee with ZERO capital
Victim loses collateral, attacker gains fee
ROI: Infinite (zero capital investment)

Mitigation

Option 1: Require Capital for Fee

// Track whether caller provided capital:
bool callerProvidedCapital = false;
if (collateralizationRatio <= lowerBound) {
    // Actual liquidation path - caller provides capital
    callerProvidedCapital = true;
    // ... liquidation logic ...
}

// Only pay fee if capital was provided:
if (callerProvidedCapital) {
    feeInYield = _resolveRepaymentFee(accountId, repaidAmountInYield);
    TokenUtils.safeTransfer(myt, msg.sender, feeInYield);
}

Option 2: Access Control

// Restrict forced earmark repayment to authorized liquidators:
if (account.earmarked > 0 && !isAuthorizedLiquidator(msg.sender)) {
    revert UnauthorizedForcedRepayment();
}

Previous57311 sc medium moonwell allocation and deallocation can fail silently causing incorrect state updates and loss of yield Next58369 sc high missing mytsharesdeposited decrements in forcerepay doliquidation leads to smart contract unable to operate due to lack of token funds

Was this helpful?

hashtagDescription

hashtagVulnerability Overview

hashtagRoot Cause

hashtagAttack Flow

hashtagImpact

hashtagLink to Proof of Concept

hashtagProof of Concept

hashtag3. Proof of Concept

hashtagStep-by-Step Reproduction

hashtagValidation Steps

hashtagCode References

hashtagProof of Concept (GitHub Gist)

hashtagMitigation