search
Active Boosts

58181 sc medium a griefer can cause a permanent dos in tokeautoeth tokeautousdcstrategy allocate

Submitted on Oct 31st 2025 at 07:36:38 UTC by @aman for Audit Comp | Alchemix V3arrow-up-right

  • Report ID: #58181

  • Report Type: Smart Contract

  • Report severity: Medium

  • Target: https://github.com/alchemix-finance/v3-poc/blob/immunefi_audit/src/strategies/mainnet/TokeAutoEth.sol

  • Impacts:

    • Temporary freezing of funds for at least 24 hour

    • Contract fails to deliver promised returns, but doesn't lose value

    • Temporary freezing of funds for at least 1 hour

hashtag
Description

hashtag
Brief/Intro

In the TokeAuto allocation we use router::depositMax, which attempts to pull the entire token balance from the strategy contract but we only approve the exact amount intended for the current allocation. If the strategy’s balance exceeds the approved amount, depositMax will revert. An attacker could exploit this to cause a permanent or prolonged DoS by donating to the strategy and repeatedly triggering the revert.

hashtag
Vulnerability Details

When allocating into TokeAuto we use the router contract and call its depositMax function:

We only approve the exact amount intended for the current allocation, so the router can pull only that approved amount from the strategy contract. However, inside router::depositMax the implementation may attempt to pull the strategy’s entire balance up to maxDeposit:

Concretely: if the strategy balance is 100 WETH but the allocation amount (and thus the approved amount) is 99 WETH, depositMax can revert. An attacker can weaponize this by donating a tiny amount 1 wei to the strategy right before an allocation front-running the allocate transaction to trigger a revert.

hashtag
Impact Details

A single 1-wei donation can be exploited to halt allocations to TokeAutoETH/TokeAutoUSDC, causing prolonged disruption of yield operations and exposing the protocol to financial risk.

hashtag
References

TokeAutoEth : https://github.com/alchemix-finance/v3-poc/blob/immunefi_audit/src/strategies/mainnet/TokeAutoEth.sol

TokeAutoUSDStrategy : https://github.com/alchemix-finance/v3-poc/blob/immunefi_audit/src/strategies/mainnet/TokeAutoUSDStrategy.sol

AutopilotRouter : https://vscode.blockscan.com/ethereum/0x37dD409f5e98aB4f151F4259Ea0CC13e97e8aE21

hashtag
Proof of Concept

hashtag
Proof of Concept

Step-by-step POC explanation:

  1. Admin attempts to allocate 40 WETH to the TokeAutoEth strategy.

  2. Attacker watches the allocation transaction in the mempool.

  3. Attacker front-runs the allocation and donates 1 wei to the strategy.

  4. When the admin’s allocation executes, it reverts because only 40 WETH was approved but the strategy balance is now 40 WETH + 1 wei.

  5. Inside the call flow, router::depositMax attempts to pull the strategy’s entire balance, causing the revert.

Add following File POC.t.sol to test/strategies dir:

Run the test case with command : forge test --mc POCTest --match-test test_strategy_allocation -vvv --decode-internal

Previous58336 sc medium additive update to survival accumulator causing overflow Next58399 sc critical precision loss in baddebtratio calculation causes overpayment and dos

Was this helpful?