search
Active Boosts

56878 sc medium the permissionedcalls check can be bypass

Submitted on Oct 21st 2025 at 13:10:35 UTC by @ox9527 for Audit Comp | Alchemix V3arrow-up-right

  • Report ID: #56878

  • Report Type: Smart Contract

  • Report severity: Medium

  • Target: https://github.com/alchemix-finance/v3-poc/blob/immunefi_audit/src/utils/PermissionedProxy.sol

  • Impacts:

    • Contract fails to deliver promised returns, but doesn't lose value

hashtag
Description

hashtag
Brief/Intro

In the AlchemistAllocator::constructor() , allocate and deallocate is set to true via permissionedCalls mapping , to prevent PermissionedProxy.sol::proxy() function from invoking those two function , however VaultV2.sol::multicall() function is not add to permissionedCalls mapping.

hashtag
Vulnerability Details

In the AlchemistAllocator::constructor():

    constructor(address _vault, address _admin, address _operator) PermissionedProxy(_admin, _operator) {
        require(IVaultV2(_vault).asset() != address(0), "IV");
        vault = IVaultV2(_vault);

        // allocate(address adapter, bytes memory data, uint256 assets)
        permissionedCalls[0x5c9ce04d] = true;
        // deallocate(address adapter, bytes memory data, uint256 assets)
        permissionedCalls[0x4b219d16] = true;
    }

In the PermissionedProxy.sol::proxy() :

However VaultV2.sol has multicall function , allocate and deallocate can be called via multicall function.

hashtag
Impact Details

by pass the permissionedCalls check

hashtag
References

hashtag
Proof of Concept

hashtag
Proof of Concept

Previous58185 sc medium incorrect survivalaccumulator accounting logic after earmarkweight reaches 128 breaks core system invariants and can lead to protocol insolvencyNext58472 sc high liquidator base fee seized but not paid due to post deduction balance check

Was this helpful?