Last updated
Was this helpful?
Submitted on May 11th 2024 at 11:50:44 UTC by @infosec_us_team for
Report ID: #31042
Report type: Smart Contract
Report severity: High
Target: https://github.com/alchemix-finance/alchemix-v2-dao/blob/main/src/RevenueHandler.sol
Impacts:
Temporary freezing of funds for 12 hours
When claiming an alchemic-token in RevenueHandler, the claim(...) function checks if a user has deposits in AlchemistV2 and attempts to pay his debt using the alchemic-token.
Github Link: https://github.com/alchemix-finance/alchemix-v2-dao/blob/f1007439ad3a32e412468c4c42f62f676822dc1f/src/RevenueHandler.sol#L209-L213
Users can have deposits in AlchemistV2 with no debt. Attempting to burn debt from an AlchemistV2 account that has 0 debt reverts the transaction, therefore checking for deposits is wrong, we should be checking for debt instead.
(int256 debt, address[] memory deposits) = IAlchemistV2(alchemist).accounts(recipient);
Users with deposits but no debt in AlchemistV2, when calling RevenueHandler.claim(...) with an alchemist address and an alchemic-token will have their claim(...) transaction reverted.
Rewards are not permanently locked though. An advanced user can read the smart contract, detect the bug, and manually send a transaction to the revenueHandler smart contract with "address(0)" as the alchemist to bypass the bug and claim his reward.
Claiming alchemic-token rewards can fail for some users
Here's a test demonstrating the revenueHandler.claim(...) transaction reverting because the user has deposits but no debt.
