Full Report
Alchemix Finance is a synthetic asset protocol around tokenizing future yield. Using the DAO, it's possible to access the future yield. This is done by issuing a synthetic token that represents the fungible claim of assets left by the depositors. The synthetic debt token, or alAssets, represent the user's future yield. These are backed by the corresponding underlying asset at a near 1:1 value. These can be realized by swapping the underlying asset for the alAsset over time. Or, things can be traded on the open market. Within loan based protocols, there is a process called liquidations. This happens when a user's collateral drops below a certain threshold; loans are over collateralized so the protocol doesn't lose money. When this happens though, they want the original funds back but the user took them with their loan. So, a liquidation is the process of trading the collateral at a discount to get the loaned asset. The vulnerability is a bad liquidation check, leaving the protocol with bad debt. In particular, a sandwich attack can occur to mess up the price of a given asset. The exploitation of this is pretty weird but makes since in the context. Here's the step by step on how to exploit this missing check: Deposit 100 stETH and take a loan for 50 alETH. The maximum is 50% in order to prevent the protocol from losing money. Call the liquidate() function on the loan that was just taken out. Crucially, set the minOut to be 0. We are trying to sandwich the trade call made within this. The unwrap() function is susceptible to sandwich attacks. So, we can make the trading ratio between the two tokens next to nothing! The protocol sends the liquidator the collateral for providing the small amount of loaned out value. The protocol didn't get enough of the tokens to pay off the bad debt but still paid out for the liquidation! We profited almost 50% from this. This essentially allows us to bypass the typical solvency checks on the account. The attack gives us back all of the collateral and allows us to keep the loaned asset. This is done by sandwiching the trade on ourselves in order to make a really bad ratio for asset A to Asset B. Neat attack! Overall, a weird use case for sandwiching. Most of the time, we're sandwiching other users. In this case, we sandwiched ourselves to break the math being done. To fix this, Alchemix ensures that the remaining collateral from a liquidation (if any) divided by the debt is above the minimum colleralization ratio.
Analysis Summary
# Vulnerability: Missing Solvency Check in Alchemix Liquidation Function Leading to Bad Debt
## CVE Details
- CVE ID: Not explicitly provided in the text.
- CVSS Score: Not explicitly provided in the text, but context suggests **Critical** severity based on potential loss ($11.6 Million USD equivalent).
- CWE: CWE-834 (Improper Neutralization of Data within a Calculation/Formula) or similar logic error related to solvency checks.
## Affected Systems
- Products: Alchemix Finance (AlchemistV2.sol contracts related to liquidation).
- Versions: Vulnerable state prior to the patch deployment (reported on September 28, 2023).
- Configurations: Any system utilizing the `liquidate()` function where the `minOut` parameter in a sandwich attack scenario could violate solvency checks.
## Vulnerability Description
The vulnerability resided in the liquidation process of the Alchemix protocol, specifically within the `liquidate()` function, which failed to enforce proper solvency checks after the swap operation used to repay debt.
An attacker could initiate a liquidation transaction and sandwich the internal trade (which occurs during the `unwrap()` function call) against themselves. By manipulating the price ratio between the collateral asset (e.g., stETH) and the debt asset (e.g., alETH) during the crucial internal swap to be extremely unfavorable (ratio approaching zero), the protocol calculates that a negligible amount of collateral is needed to cover the debt.
When the attacker sets `minOut` to 0 during the liquidation call, the protocol executes the trade, repays the debt using the severely devalued collateral portion, but then incorrectly returns **all** remaining collateral to the attacker because the solvency check against the remaining collateral was missing or bypassed. This resulted in the protocol incurring bad debt as it paid out the full expected collateral while the debt was only partially settled using a disproportionately small value of the collateralized asset.
## Exploitation
- Status: **PoC available** (The description details the exact steps for exploitation, though it was disclosed responsibly and contained before impact).
- Complexity: **Medium** (Requires capital deposit and precise sandwich attack timing/execution).
- Attack Vector: Network (Smart contract interaction).
## Impact
- Confidentiality: No direct impact.
- Integrity: **High**. Direct manipulation of debt ratios leading to protocol loss and unbacked tokens being issued/collateral being improperly distributed. Potential to create over 7,000 unbacked alETH ($11.6M USD equivalent) if left unnoticed.
- Availability: Low/Medium. Service functionality remains, but the trustworthiness and solvency of the system are immediately compromised.
## Remediation
### Patches
- The fix involves ensuring that the remaining collateral after the liquidation swap, when divided by the remaining debt, must still be above the protocol's minimum collateralization ratio.
### Workarounds
- No specific standalone workarounds were mentioned other than applying the contract fix. The issue was resolved via a prompt fix post-disclosure.
## Detection
- Indicators of Compromise: Liquidation transactions where the `minOut` parameter is set to 0, or subsequent state changes resulting in collateral disbursement that drastically alters the collateralization ratio without corresponding debt reduction.
- Detection methods and tools: Monitoring transaction flows for unusual parameters in `liquidate()` calls and verifying the post-liquidation ratio ($RemainingCollateral / Debt \ge MinRatio$).
## References
- Vendor advisories: Immunefi report/article regarding the fix review.
- Relevant links - defanged: hxxps://medium.com/immunefi/alchemix-missing-solvency-check-bugfix-review-46e8f0c119e1