search
Active Boosts

56893 sc low pending admin cannot accept ownership in alchemistcurator

Submitted on Oct 21st 2025 at 15:15:57 UTC by @liae for Audit Comp | Alchemix V3arrow-up-right

  • Report ID: #56893

  • Report Type: Smart Contract

  • Report severity: Low

  • Target: https://github.com/alchemix-finance/v3-poc/blob/immunefi_audit/src/AlchemistCurator.sol

  • Impacts:

    • Contract fails to deliver promised returns, but doesn't lose value

hashtag
Description

hashtag
Brief/Intro

Pending admin cannot accept ownership in AlchemistCurator due to use of onlyAdmin modifier in acceptAdminOwnership() function.

hashtag
Vulnerability Details

AlchemistCurator.sol:acceptAdminOwnership() is intended to allow the pendingAdmin to accept ownership, but this is not possible due to the use of the onlyAdmin modifier:

function acceptAdminOwnership() external onlyAdmin {
    ...
}

hashtag
Impact Details

acceptAdminOwnership() function does not work as intended, but there is no risk of fund loss.

hashtag
References

https://github.com/alchemix-finance/v3-poc/blob/a192ab313c81ba3ab621d9ca1ee000110fbdd1e9/src/AlchemistCurator.sol#L31

hashtag
Proof of Concept

hashtag
Proof of Concept

Add this test case to src/test/AlchemistCurator.t.sol:

Run it with command:

Previous58362 sc low users will lose tokemak rewards earned in tokeautoethstrategyNext58689 sc critical incorrect deduction logic in alchemistv3 redeem may lead to insufficient contract collateral

Was this helpful?