# 58466 sc high liquidation fee payment failure due to redundant wrong collateral check **Submitted on Nov 2nd 2025 at 14:13:42 UTC by @omarAli001 for** [**Audit Comp | Alchemix V3**](https://immunefi.com/audit-competition/alchemix-v3-audit-competition) * **Report ID:** #58466 * **Report Type:** Smart Contract * **Report severity:** High * **Target:** * **Impacts:** * Smart contract unable to operate due to lack of token funds ## Description ## Summary A redundant collateral balance check in the liquidation process prevents liquidators from receiving their rightful fees even the fee is reduced from liquidated user, when a user's collateral balance becomes low or zero after liquidation(liquidatedAmount + fee) reduction. This creates a scenario where liquidators perform work but don't get his fee which is already reduced from liquidated user, potentially disincentivizing necessary liquidations. ## Description The issue occurs in the `_doLiquidation()` function where there's inconsistent handling of the liquidation fee: let's go to step by step in code i describe complete issue, i write some note on code with @audit tag please it also. the `_doLiquidation` call `calculateLiquidation` which return this value `(liquidationAmount, debtToBurn, baseFee, outsourcedFFee)` the liquidationAmount include base amount to get liqudate + fee that should be transfer to liquidator. ```javascript function calculateLiquidation( uint256 collateral, uint256 debt, uint256 targetCollateralization, uint256 alchemistCurrentCollateralization, uint256 alchemistMinimumCollateralization, uint256 feeBps ) public pure returns (uint256 grossCollateralToSeize, uint256 debtToBurn, uint256 fee, uint256 outsourcedFee) { if (debt >= collateral) { outsourcedFee = (debt * feeBps) / BPS; // fully liquidate debt if debt is greater than collateral return (collateral, debt, 0, outsourcedFee); } if (alchemistCurrentCollateralization < alchemistMinimumCollateralization) { outsourcedFee = (debt * feeBps) / BPS; // fully liquidate debt in high ltv global environment return (debt, debt, 0, outsourcedFee); } // fee is taken from surplus = collateral - debt uint256 surplus = collateral > debt ? collateral - debt : 0; @> fee = (surplus * feeBps) / BPS; // collateral remaining for marginā€restore calc uint256 adjCollat = collateral - fee; // compute m*d (both plain units) uint256 md = (targetCollateralization * debt) / FIXED_POINT_SCALAR; // if md <= adjCollat, nothing to liquidate if (md <= adjCollat) { return (0, 0, fee, 0); } // numerator = md - adjCollat uint256 num = md - adjCollat; // denom = m - 1 => (targetCollateralization - FIXED_POINT_SCALAR)/FIXED_POINT_SCALAR uint256 denom = targetCollateralization - FIXED_POINT_SCALAR; // debtToBurn = (num * FIXED_POINT_SCALAR) / denom debtToBurn = (num * FIXED_POINT_SCALAR) / denom; // gross collateral seize = net + fee // @audit the function return `debtToBurn + fee` as a amount to get liqudate @> grossCollateralToSeize = debtToBurn + fee; } function _doLiquidation(uint256 accountId, uint256 collateralInUnderlying, uint256 repaidAmountInYield) internal returns (uint256 amountLiquidated, uint256 feeInYield, uint256 feeInUnderlying) { Account storage account = _accounts[accountId]; (uint256 liquidationAmount, uint256 debtToBurn, uint256 baseFee, uint256 outsourcedFee) = calculateLiquidation( collateralInUnderlying, account.debt, minimumCollateralization, normalizeUnderlyingTokensToDebt(_getTotalUnderlyingValue()) * FIXED_POINT_SCALAR / totalDebt, globalMinimumCollateralization, liquidatorFee ); amountLiquidated = convertDebtTokensToYield(liquidationAmount); feeInYield = convertDebtTokensToYield(baseFee); // update user balance and debt account.collateralBalance = account.collateralBalance > amountLiquidated ? account.collateralBalance - amountLiquidated : 0; _subDebt(accountId, debtToBurn); TokenUtils.safeTransfer(myt, transmuter, amountLiquidated - feeInYield); // @audit amountLiquidated is the amount that should be reduce from user collateral and get liquidate, feeInYield is the fee amount that // should be transfer to liquidator for liquidation, now the function reduce the amountLiquidated(amount liquidate + fee) from user collateral // then only transfer amountLiquidated - feeInYield to transmuter and sufficient feeInYield amount is left that should be transfer to liquidator, now if after reduction user collateral become 0 below wrong redundent check prevent from transfering liquidation fee to liquidator. // send base fee to liquidator if available if (feeInYield > 0 && account.collateralBalance >= feeInYield) { TokenUtils.safeTransfer(myt, msg.sender, feeInYield); } // Handle outsourced fee from vault if (outsourcedFee > 0) { uint256 vaultBalance = IFeeVault(alchemistFeeVault).totalDeposits(); if (vaultBalance > 0) { uint256 feeBonus = normalizeDebtTokensToUnderlying(outsourcedFee); feeInUnderlying = vaultBalance > feeBonus ? feeBonus : vaultBalance; IFeeVault(alchemistFeeVault).withdraw(msg.sender, feeInUnderlying); } } emit Liquidated(accountId, msg.sender, amountLiquidated + repaidAmountInYield, feeInYield, feeInUnderlying); return (amountLiquidated + repaidAmountInYield, feeInYield, feeInUnderlying); } ``` since the calculateLiquidation function return liquidationAmount which include both the liqudate amount + fee of liquidator function correclty reduce the both value as amountLiquidate from user collateral and the the function only transfer the base amount to transmuter `TokenUtils.safeTransfer(myt, transmuter, amountLiquidated - feeInYield);`. this mean the fee is in the contract and should be transfer to liquidator, but the redundet check `if (feeInYield > 0 && account.collateralBalance >= feeInYield)` will prevent from transfering fee to liquidator if user collateral become 0 when the amountLiquidated get substract from him. this redundent check will lead to not transfering fee to liquidator and that amount will be stay in contract. liquidator will loss the fee that it should be received. ```javascript function _doLiquidation(uint256 accountId, uint256 collateralInUnderlying, uint256 repaidAmountInYield) internal returns (uint256 amountLiquidated, uint256 feeInYield, uint256 feeInUnderlying) { Account storage account = _accounts[accountId]; @> (uint256 liquidationAmount, uint256 debtToBurn, uint256 baseFee, uint256 outsourcedFee) = calculateLiquidation( collateralInUnderlying, account.debt, minimumCollateralization, normalizeUnderlyingTokensToDebt(_getTotalUnderlyingValue()) * FIXED_POINT_SCALAR / totalDebt, globalMinimumCollateralization, liquidatorFee ); amountLiquidated = convertDebtTokensToYield(liquidationAmount); feeInYield = convertDebtTokensToYield(baseFee); // update user balance and debt @> account.collateralBalance = account.collateralBalance > amountLiquidated ? account.collateralBalance - amountLiquidated : 0; @> _subDebt(accountId, debtToBurn); @> TokenUtils.safeTransfer(myt, transmuter, amountLiquidated - feeInYield); // send base fee to liquidator if available @> if (feeInYield > 0 && account.collateralBalance >= feeInYield) { @> TokenUtils.safeTransfer(myt, msg.sender, feeInYield); @> } } ``` Scenario Analysis:- Normal Case (works correctly): * User collateral: 100 MYT * amountLiquidated: 10 MYT (8 principal + 2 fee) * After liquidation: 90 MYT remaining * Transmuter receives: 8 MYT * Liquidator receives: 2 MYT Problem Case (fee payment fails): * User collateral: 10 MYT * amountLiquidated: 10 MYT (8 principal + 2 fee) * After liquidation: 0 MYT remaining * Transmuter receives: 8 MYT * Liquidator receives: 0 MYT ## Impact * Liquidators not receiving their rightful fees for performing liquidations * Financial loss for liquidators who expend gas and effort without compensation * Reduced incentive for liquidators to monitor and liquidate undercollateralized positions ## Severity level med:- the reason i choose the med severity level and impact (Smart contract unable to operate due to lack of token funds) because the fee that is reduced and not transfer to liquidator is lack of completing the operation and this is happening because of wrong check and lack of enough extra token amount requiring due to wrong check. ## Mitigation Steps remove the second part of if check. ```javascript function _doLiquidation(uint256 accountId, uint256 collateralInUnderlying, uint256 repaidAmountInYield) internal returns (uint256 amountLiquidated, uint256 feeInYield, uint256 feeInUnderlying) { Account storage account = _accounts[accountId]; (uint256 liquidationAmount, uint256 debtToBurn, uint256 baseFee, uint256 outsourcedFee) = calculateLiquidation( collateralInUnderlying, account.debt, minimumCollateralization, normalizeUnderlyingTokensToDebt(_getTotalUnderlyingValue()) * FIXED_POINT_SCALAR / totalDebt, globalMinimumCollateralization, liquidatorFee ); amountLiquidated = convertDebtTokensToYield(liquidationAmount); feeInYield = convertDebtTokensToYield(baseFee); // update user balance and debt account.collateralBalance = account.collateralBalance > amountLiquidated ? account.collateralBalance - amountLiquidated : 0; _subDebt(accountId, debtToBurn); ++ uint256 amountToTransmuter = amountLiquiated - feeInYield; ++ uint256 liquidatorFee = amountLiquiated - amountToTransmuter; TokenUtils.safeTransfer(myt, transmuter, amountLiquidated - feeInYield); // send base fee to liquidator if available -- if (feeInYield > 0 && account.collateralBalance >= feeInYield) { ++ if (liquidatorFee > 0) { TokenUtils.safeTransfer(myt, msg.sender, liquidatorFee); } ``` ## Proof of Concept ## Proof of Concept ```javascript // SPDX-License-Identifier: GPL-3.0-or-later pragma solidity 0.8.28; import {IERC20} from "../../lib/openzeppelin-contracts/contracts/token/ERC20/IERC20.sol"; import {IERC721} from "@openzeppelin/contracts/token/ERC721/IERC721.sol"; import {TransparentUpgradeableProxy} from "../../lib/openzeppelin-contracts/contracts/proxy/transparent/TransparentUpgradeableProxy.sol"; import {SafeCast} from "../libraries/SafeCast.sol"; import {Test} from "../../lib/forge-std/src/Test.sol"; import {SafeERC20} from "../libraries/SafeERC20.sol"; import {console} from "../../lib/forge-std/src/console.sol"; import {AlchemistV3} from "../AlchemistV3.sol"; import {AlchemicTokenV3} from "../test/mocks/AlchemicTokenV3.sol"; import {Transmuter} from "../Transmuter.sol"; import {AlchemistV3Position} from "../AlchemistV3Position.sol"; import {Whitelist} from "../utils/Whitelist.sol"; import {TestERC20} from "./mocks/TestERC20.sol"; import {TestYieldToken} from "./mocks/TestYieldToken.sol"; import {TokenAdapterMock} from "./mocks/TokenAdapterMock.sol"; import {IAlchemistV3, IAlchemistV3Errors, AlchemistInitializationParams} from "../interfaces/IAlchemistV3.sol"; import {ITransmuter} from "../interfaces/ITransmuter.sol"; import {ITestYieldToken} from "../interfaces/test/ITestYieldToken.sol"; import {InsufficientAllowance} from "../base/Errors.sol"; import {Unauthorized, IllegalArgument, IllegalState, MissingInputData} from "../base/Errors.sol"; import {AlchemistNFTHelper} from "./libraries/AlchemistNFTHelper.sol"; import {IAlchemistV3Position} from "../interfaces/IAlchemistV3Position.sol"; import {AggregatorV3Interface} from "../../lib/chainlink-brownie-contracts/contracts/src/v0.8/shared/interfaces/AggregatorV3Interface.sol"; import {TokenUtils} from "../libraries/TokenUtils.sol"; import {AlchemistTokenVault} from "../AlchemistTokenVault.sol"; import {MockMYTStrategy} from "./mocks/MockMYTStrategy.sol"; import {MYTTestHelper} from "./libraries/MYTTestHelper.sol"; import {IMYTStrategy} from "../interfaces/IMYTStrategy.sol"; import {MockAlchemistAllocator} from "./mocks/MockAlchemistAllocator.sol"; import {IMockYieldToken} from "./mocks/MockYieldToken.sol"; import {IVaultV2} from "../../lib/vault-v2/src/interfaces/IVaultV2.sol"; import {VaultV2} from "../../lib/vault-v2/src/VaultV2.sol"; import {MockYieldToken} from "./mocks/MockYieldToken.sol"; contract AlchemistV3Test is Test { // ----- [SETUP] Variables for setting up a minimal CDP ----- // Callable contract variables AlchemistV3 alchemist; Transmuter transmuter; AlchemistV3Position alchemistNFT; AlchemistTokenVault alchemistFeeVault; // // Proxy variables TransparentUpgradeableProxy proxyAlchemist; TransparentUpgradeableProxy proxyTransmuter; // // Contract variables // CheatCodes cheats = CheatCodes(HEVM_ADDRESS); AlchemistV3 alchemistLogic; Transmuter transmuterLogic; AlchemicTokenV3 alToken; Whitelist whitelist; // Parameters for AlchemicTokenV2 string public _name; string public _symbol; uint256 public _flashFee; address public alOwner; mapping(address => bool) users; uint256 public constant FIXED_POINT_SCALAR = 1e18; uint256 public constant BPS = 10_000; uint256 public protocolFee = 100; uint256 public liquidatorFeeBPS = 300; // in BPS, 3% uint256 public minimumCollateralization = uint256(FIXED_POINT_SCALAR * FIXED_POINT_SCALAR) / 9e17; // ----- Variables for deposits & withdrawals ----- // account funds to make deposits/test with uint256 accountFunds; // large amount to test with uint256 whaleSupply; // amount of yield/underlying token to deposit uint256 depositAmount; // minimum amount of yield/underlying token to deposit uint256 minimumDeposit = 1000e18; // minimum amount of yield/underlying token to deposit uint256 minimumDepositOrWithdrawalLoss = FIXED_POINT_SCALAR; // random EOA for testing address externalUser = address(0x69E8cE9bFc01AA33cD2d02Ed91c72224481Fa420); // another random EOA for testing address anotherExternalUser = address(0x420Ab24368E5bA8b727E9B8aB967073Ff9316969); // another random EOA for testing address yetAnotherExternalUser = address(0x520aB24368e5Ba8B727E9b8aB967073Ff9316961); // another random EOA for testing address someWhale = address(0x521aB24368E5Ba8b727e9b8AB967073fF9316961); // WETH address address public weth = address(0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2); address public protocolFeeReceiver = address(10); // MYT variables VaultV2 vault; MockAlchemistAllocator allocator; MockMYTStrategy mytStrategy; address public operator = address(0x2222222222222222222222222222222222222222); // default operator address public admin = address(0x4444444444444444444444444444444444444444); // DAO OSX address public curator = address(0x8888888888888888888888888888888888888888); address public mockVaultCollateral = address(new TestERC20(100e18, uint8(18))); address public mockStrategyYieldToken = address(new MockYieldToken(mockVaultCollateral)); uint256 public defaultStrategyAbsoluteCap = 2_000_000_000e18; uint256 public defaultStrategyRelativeCap = 1e18; // 100% // address alchemistAdmin = makeAddr("admin"); struct CalculateLiquidationResult { uint256 liquidationAmountInYield; uint256 debtToBurn; uint256 outSourcedFee; uint256 baseFeeInYield; } struct AccountPosition { address user; uint256 collateral; uint256 debt; uint256 tokenId; } function setUp() external { adJustTestFunds(18); setUpMYT(18); deployCoreContracts(18); } function adJustTestFunds(uint256 alchemistUnderlyingTokenDecimals) public { accountFunds = 200_000 * 10 ** alchemistUnderlyingTokenDecimals; whaleSupply = 20_000_000_000 * 10 ** alchemistUnderlyingTokenDecimals; depositAmount = 200_000 * 10 ** alchemistUnderlyingTokenDecimals; } function setUpMYT(uint256 alchemistUnderlyingTokenDecimals) public { vm.startPrank(admin); uint256 TOKEN_AMOUNT = 1_000_000; // Base token amount uint256 initialSupply = TOKEN_AMOUNT * 10 ** alchemistUnderlyingTokenDecimals; mockVaultCollateral = address(new TestERC20(initialSupply, uint8(alchemistUnderlyingTokenDecimals))); mockStrategyYieldToken = address(new MockYieldToken(mockVaultCollateral)); vault = MYTTestHelper._setupVault(mockVaultCollateral, admin, curator); mytStrategy = MYTTestHelper._setupStrategy(address(vault), mockStrategyYieldToken, admin, "MockToken", "MockTokenProtocol", IMYTStrategy.RiskClass.LOW); allocator = new MockAlchemistAllocator(address(vault), admin, operator); vm.stopPrank(); vm.startPrank(curator); _vaultSubmitAndFastForward(abi.encodeCall(IVaultV2.setIsAllocator, (address(allocator), true))); vault.setIsAllocator(address(allocator), true); _vaultSubmitAndFastForward(abi.encodeCall(IVaultV2.addAdapter, address(mytStrategy))); vault.addAdapter(address(mytStrategy)); bytes memory idData = mytStrategy.getIdData(); _vaultSubmitAndFastForward(abi.encodeCall(IVaultV2.increaseAbsoluteCap, (idData, defaultStrategyAbsoluteCap))); vault.increaseAbsoluteCap(idData, defaultStrategyAbsoluteCap); _vaultSubmitAndFastForward(abi.encodeCall(IVaultV2.increaseRelativeCap, (idData, defaultStrategyRelativeCap))); vault.increaseRelativeCap(idData, defaultStrategyRelativeCap); vm.stopPrank(); } function _magicDepositToVault(address vault, address depositor, uint256 amount) internal returns (uint256) { deal(address(mockVaultCollateral), address(depositor), amount); vm.startPrank(depositor); TokenUtils.safeApprove(address(mockVaultCollateral), vault, amount); uint256 shares = IVaultV2(vault).deposit(amount, depositor); vm.stopPrank(); return shares; } function _vaultSubmitAndFastForward(bytes memory data) internal { vault.submit(data); bytes4 selector = bytes4(data); vm.warp(block.timestamp + vault.timelock(selector)); } function deployCoreContracts(uint256 alchemistUnderlyingTokenDecimals) public { // test maniplulation for convenience address caller = address(0xdead); address proxyOwner = address(this); vm.assume(caller != address(0)); vm.assume(proxyOwner != address(0)); vm.assume(caller != proxyOwner); vm.startPrank(alchemistAdmin); // Fake tokens alToken = new AlchemicTokenV3(_name, _symbol, _flashFee); ITransmuter.TransmuterInitializationParams memory transParams = ITransmuter.TransmuterInitializationParams({ syntheticToken: address(alToken), feeReceiver: address(this), timeToTransmute: 5_256_000, transmutationFee: 10, exitFee: 20, graphSize: 52_560_000 }); // Contracts and logic contracts alOwner = caller; transmuterLogic = new Transmuter(transParams); alchemistLogic = new AlchemistV3(); whitelist = new Whitelist(); // AlchemistV3 proxy AlchemistInitializationParams memory params = AlchemistInitializationParams({ admin: alchemistAdmin, debtToken: address(alToken), underlyingToken: address(vault.asset()), depositCap: type(uint256).max, // collateralizationLowerBound: 1_052_631_578_950_000_000, // 1.05 collateralization // globalMinimumCollateralization: 1_111_111_111_111_111_111, // 1.1 minimumCollateralization: 1e18, collateralizationLowerBound: 2e18, // 1.05 collateralization globalMinimumCollateralization: 1e18, // 1.1 transmuter: address(transmuterLogic), // we set protocol fee. 10% protocolFee: 1000, protocolFeeReceiver: protocolFeeReceiver, // liquidatorFee: liquidatorFeeBPS, liquidatorFee: 8_000, repaymentFee: 100, myt: address(vault) }); bytes memory alchemParams = abi.encodeWithSelector(AlchemistV3.initialize.selector, params); proxyAlchemist = new TransparentUpgradeableProxy(address(alchemistLogic), proxyOwner, alchemParams); alchemist = AlchemistV3(address(proxyAlchemist)); // Whitelist alchemist proxy for minting tokens alToken.setWhitelist(address(proxyAlchemist), true); whitelist.add(alchemistAdmin); whitelist.add(address(0xbeef)); whitelist.add(externalUser); whitelist.add(anotherExternalUser); transmuterLogic.setAlchemist(address(alchemist)); transmuterLogic.setDepositCap(uint256(type(int256).max)); alchemistNFT = new AlchemistV3Position(address(alchemist)); alchemist.setAlchemistPositionNFT(address(alchemistNFT)); alchemistFeeVault = new AlchemistTokenVault(address(vault.asset()), address(alchemist), alchemistAdmin); // alchemistFeeVault = new AlchemistTokenVault(address(vault.asset()), address(alchemist), alOwner); alchemistFeeVault.setAuthorization(address(alchemist), true); alchemist.setAlchemistFeeVault(address(alchemistFeeVault)); _magicDepositToVault(address(vault), address(0xbeef), accountFunds); _magicDepositToVault(address(vault), address(0xdad), accountFunds); _magicDepositToVault(address(vault), externalUser, accountFunds); _magicDepositToVault(address(vault), yetAnotherExternalUser, accountFunds); _magicDepositToVault(address(vault), anotherExternalUser, accountFunds); vm.stopPrank(); vm.startPrank(address(admin)); allocator.allocate(address(mytStrategy), vault.convertToAssets(vault.totalSupply())); vm.stopPrank(); deal(address(alToken), address(0xdad), accountFunds); deal(address(alToken), address(anotherExternalUser), accountFunds); deal(address(vault.asset()), address(0xbeef), accountFunds); deal(address(vault.asset()), externalUser, accountFunds); deal(address(vault.asset()), yetAnotherExternalUser, accountFunds); deal(address(vault.asset()), anotherExternalUser, accountFunds); deal(address(vault.asset()), alchemist.alchemistFeeVault(), 10_000 * (10 ** alchemistUnderlyingTokenDecimals)); vm.startPrank(anotherExternalUser); SafeERC20.safeApprove(address(vault.asset()), address(vault), accountFunds); vm.stopPrank(); vm.startPrank(yetAnotherExternalUser); SafeERC20.safeApprove(address(vault.asset()), address(vault), accountFunds); vm.stopPrank(); vm.startPrank(someWhale); deal(address(vault), someWhale, whaleSupply); deal(address(vault.asset()), someWhale, whaleSupply); SafeERC20.safeApprove(address(vault.asset()), address(mockStrategyYieldToken), whaleSupply); vm.stopPrank(); } function testA() external { address liquidator = makeAddr("liquidator"); uint256 balanceOfLiquidatorBeforeLiquidation = IERC20(address(vault)).balanceOf(liquidator); console.log("Liquidator myt balance before calling liquidate function for userA",balanceOfLiquidatorBeforeLiquidation); vm.startPrank(address(0xbeef)); SafeERC20.safeApprove(address(vault), address(alchemist), 100e18); alchemist.deposit(25_050_000_000_000_000_000, address(0xbeef), 0); alchemist.mint(1, 25e18, address(0xbeef)); vm.stopPrank(); vm.startPrank(alchemistAdmin); // minCollateralizationRatio set 2, now user is liquidatable. alchemist.setMinimumCollateralization(2_000_000_000_000_000_000); vm.stopPrank(); vm.startPrank(liquidator); (uint256 amountLiq, uint256 feeLiq, uint256 feeInUn) = alchemist.liquidate(1); vm.stopPrank(); console.log("Amount that get liquidate ",amountLiq); console.log("Fee that should be send for liquidator for liquidation calling ",feeLiq); uint256 balanceOfLiquidatorAfterLiquidation = IERC20(address(vault)).balanceOf(liquidator); console.log("Liquidator myt balance After calling liquidate function for userA",balanceOfLiquidatorAfterLiquidation); } ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://reports.immunefi.com/alchemix-v3/58466-sc-high-liquidation-fee-payment-failure-due-to-redundant-wrong-collateral-check.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.