57746 sc low broken contract ownership logic at alchemistv3 sol

Submitted on Oct 28th 2025 at 16:28:14 UTC by @Cyborg for Audit Comp | Alchemix V3

Report ID: #57746
Report Type: Smart Contract
Report severity: Low
Target: https://github.com/alchemix-finance/v3-poc/blob/immunefi_audit/src/AlchemistCurator.sol
Impacts:
- Broken contract ownership transfer logic

Description

Brief/Intro

Broken contract ownership logic at AlchemistV3.sol due to impossible accept ownership method.

Vulnerability Details

Inside src/AlchemistCurator.sol there are 2 methods to handle the admin transfership - methods transferAdminOwnerShip and acceptAdminOwnership. The problem here is that both methods are created with modifier onlyAdmin meaning that the selected pendingAdmin at method transferAdminOwnerShip can't really request method acceptAdminOwnership in order to accept the admin role, because he is not yet the admin thus the onlyAdmin modifier will revert. There is no way for the pendingAdmin to accept the ownership and there is no way for the current admin to force transfer the ownership. The smart contract has very important methods for Morpho's Vault V2 that are protected with the onlyAdmin modifier.

Impact Details

The AlchemistV3 contract being stuck with the initial admin.

Recommendation

Remove the onlyAdmin modifier from method acceptAdminOwnership and add validation to check if the msg.sender == pendingAdmin:

function acceptAdminOwnership() external {
    require(msg.sender == pendingAdmin, InvalidPendingAdmin());
    admin = pendingAdmin;
    pendingAdmin = address(0);
    emit AdminChanged(admin);
}

Proof of Concept

Create file src/test/AlchemistCurator.test_acceptAdminOwnership.t.sol and run it with command forge test src/test/AlchemistCurator.test_acceptAdminOwnership.t.sol -vv:

// SPDX-License-Identifier: MIT
pragma solidity 0.8.28;

import "forge-std/Test.sol";
import {MockAlchemistCurator} from "./mocks/MockAlchemistCurator.sol";


contract AlchemistCuratorTest is Test {
    MockAlchemistCurator public mytCuratorProxy;
    address public admin = address(0x4444444444444444444444444444444444444444); // DAO OSX
    address public newAdmin = address(0x123);

    function setUp() public {
        vm.startPrank(admin);
        mytCuratorProxy = new MockAlchemistCurator(admin, admin);
        vm.stopPrank();
    }

    function test_acceptAdminOwnership() public {
        vm.startPrank(admin);
        assertEq(mytCuratorProxy.pendingAdmin(), address(0));

        mytCuratorProxy.transferAdminOwnerShip(newAdmin);
        assertEq(mytCuratorProxy.pendingAdmin(), newAdmin);

        vm.startPrank(newAdmin);
        vm.expectRevert(bytes("PD")); // error returned from https://github.com/alchemix-finance/v3-poc/blob/immunefi_audit/src/utils/PermissionedProxy.sol#L18
        mytCuratorProxy.acceptAdminOwnership();
    }
}

Previous57995 sc high missing slippage protection in tokeautousdstrategy allocation function leads to permanent value loss Next57760 sc high mytstrategy allocate deallocate doesnt account for profit and loss

Was this helpful?

hashtagDescription

hashtagBrief/Intro

hashtagVulnerability Details

hashtagImpact Details

hashtagRecommendation

hashtagProof of Concept

hashtagProof of Concept

Description

Brief/Intro

Vulnerability Details

Impact Details

Recommendation

Proof of Concept

Proof of Concept