search
Active Boosts

57208 sc insight it is possible to prevent lowering the deposit cap by front running

Submitted on Oct 24th 2025 at 11:46:06 UTC by @PotEater for Audit Comp | Alchemix V3arrow-up-right

  • Report ID: #57208

  • Report Type: Smart Contract

  • Report severity: Insight

  • Target: https://github.com/alchemix-finance/v3-poc/blob/immunefi_audit/src/AlchemistV3.sol

  • Impacts:

hashtag
Description

hashtag
Brief/Intro

The function setDepositCap can be DoS'd by front-running when setting the deposit cap to a lower value.

hashtag
Vulnerability Details

The function setDepositCap implements a check that ensures the depositCap is always >= IERC20(myt).balanceOf(address(this)));

This makes the function vulnerable to a front-running/griefing attack where the attacker can simply front-run the admin, depositing a huge amount of tokens into the contract so it hits the deposit cap.

Now when the admin tx completes, it will revert, because the input value is lower than the contract's MYT balance. After that, the attacker can freely withdraw the tokens immediately without any restrictions or fees. Increasing likelihood of this griefing attack and creating ideal conditions.

hashtag
Impact Details

The impact is partial Denial of Service. The admin would be only able to increase the deposit cap, not decrease.

hashtag
References

https://github.com/alchemix-finance/v3-poc/blob/a192ab313c81ba3ab621d9ca1ee000110fbdd1e9/src/AlchemistV3.sol#L237

hashtag
Proof of Concept

hashtag
Proof of Concept

Add this function to the AlchemistV3.t.sol test file:

PoC:

Previous58422 sc low morphoyearn og weth strategy always emits deallocation loss event due to zero delta calculationNext58357 sc low permanent freezing of tokeautoeth strategy rewards in myt vault

Was this helpful?