Boost | Alchemix

Proof of Concept (PoC) Requirements

A PoC, demonstrating the bug's impact, is required for this program and has to comply with the Immunefi PoC Guidelines and Rules.

Whitehat Educational Resources & Technical Info

• 1-year old medium article that is still largely correct: https://alchemixfi.medium.com/vealcx-update-272e8900ac5a
• Draft document that will eventually turn into a governance proposal to explain and define the launch parameters: https://alchemixdao.notion.site/veALCX-Launch-Parameters-Proposal-60113919e018424db7fc03c346c34386?pvs=4

Is this an upgrade of an existing system? If so, which? And what are the main differences?

This is a brand-new system to Alchemix, but is an upgrade of Velodromes veVELO (which is an upgrade of solidly’s vote-escrow system). The primary differences are:

• Alchemix is not a DEX, and therefore sends a majority of ALCX to external locations such as incentives for 3rd party DEX pools, and vote incentives on platforms such as votium, votemarket, etc. Therefore, the system requires both external and internal gauges (ie, gauges that send ALCX to 3rd party and internal contracts).
• Alchemix has introduced a “continuous max lock” boolean that may be enabled to prevent decay in voting power and remaining lock time (thus eliminating the need to manually re-lock a position constantly)
• Alchemix has added the FLUX token, which is earned by veALCX lockers. Accrued FLUX credit can be burned to boost gauge voting power. Alternatively, credit can be burned to mint an ERC20 version of FLUX. The FLUX ERC20 is tradeable, and can be used to unlock a veALCX position early. The ERC20 can NOT be used to boost gauge voting power.
• Alchemix has created a system by which any veALCX revenue asset can be whitelisted to be converted to alAssets to repay users’ debt so long as there is a direct swap path. Assets that are not whitelisted will be passed through directly to veALCX users.

Where do you suspect there may be bugs?

• Which parts of the code are you most concerned about?

The highest concern is in the accounting of bribes, including ensuring the total supply is tracked correctly.

• What attack vectors are you most concerned about?

Any attack that would artifically inflate a user’s claim on bribes, rewards, or a user’s voting power, or any other means by which bribes and rewards could be stolen.

• Which part(s) of the system do you want whitehats to attempt to break the most?

The rewards distributor and voting system has the most complexity and handles bribes which could be a variety of assets as well as tracking voting

• Are there any assumed invariants that you want whitehats to attempt to break?
  • A user should never be able to claim more bribes than they have earned
  • A user should never be able to claim more revenue than they have earned
  • A user should never be able to claim more rewards than they have earned
  • A user should never be able to vote with more power than they have

What ERC20 / ERC721 / ERC777 / ERC1155 token standards are supported? Which are not?

ERC20, ERC721, ERC4626

What monitoring systems may you want to use as a reason to invalidate or downgrade an otherwise valid bug report?

None.

What Roles are there, and what capacities do they have?

users - veALCX holders: can create new veALCX tokens, vote, claim bribes, claim rewards (ALCX), claim revenue, claim / burn / boost vote with FLUX delegates - addresses veALCX holders approved to act on their behalf admin - address (governance) that can update system state variables as needed

Which Roles are trusted roles and what privileges do they hold?

admin - address (governance) that can update system state variables as needed.

Are there trusted roles for which you would consider any bugs invalid, even if the roles are not intended to have that capacity?

Any malicious behavior that an admin can execute is acknowledged and invalid since the assumption is that admin will be a trusted party

What external dependencies are there?

Balancer pool - 0xf16aEe6a71aF1A9Bc8F56975A4c2705ca7A782Bc

Aura pool - 0x8B227E3D50117E80a02cd0c67Cd6F89A8b7B46d7

ALCX/ETH price feed - 0x194a9AaF2e0b67c35915cD01101585A33Fe25CAa

Where might whitehats confuse out-of-scope code to be in-scope?

The Balancer pool and Aura pools are out of scope and are acknowledged as a third-party pool integration.

Dependencies should be audited to verify they are being referenced and utilized correctly, but the dependencies themselves do not need to be audited (ie, it should be assumed the dependencies function as intended). For example, it should be assumed the Balancer Pool Token always represents 80% balance of ALCX and a 20% balance of ETH that tracks the initial deposit.

Are there any unusual points about your protocol that may confuse whitehats?

Voting power decay over time. If a user does not update their vote their voting power remains constant, however, they will not be eligible for future bribes or FLUX earnings until they vote. This is considered when accounting for the distribution of Bribes in a given Epoch.

Rewards claiming with the Alchemists. If a user has an open debt position in an Alchemist (alETH, alUSD) they can claim revenue that pays off the debt in a given position, so long as that revenue asset is whitelisted to be swapped to the alAsset.

Aura rewards with ALCX-BPT. Deposits are sent to the Aura rewards pool when a user creates a veALCX position. VotingEscrow.sol accounts for this and manages the deposit and withdrawal when a user deposits or withdrawals from the VotingEscrow.sol contract.

Users can boost their vote only with unclaimed FLUX. Once FLUX has been claimed it can only be used to unlock a veALCX token early. It is intentional that it requires longer than the period their token is locked to accrue enough FLUX to unlock a veALCX position early.

What is the test suite setup information?

https://github.com/alchemix-finance/alchemix-v2-dao/blob/main/README.md

Which chains are the smart contracts going to be deployed to?

ETH Mainnet

Public Disclosure of Known Issues

Bug reports covering previously discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk.

• Ambiguous Proposal Executions via the TimelockController are acknowledged and a part of the governance management system.
• We are assuming that the price of the alAsset will always be at or below the price of the revenue token. This is currently a safe assumption since this imbalance has always held true for alUSD and alETH since their inception

Previous Audits

Alchemix’s completed audit reports can be found at https://drive.google.com/file/d/1YsO1t1-hSK1wkHajT_GAZ-u35O1Su74X/view?usp=sharing. Any unfixed vulnerabilities mentioned in these reports are not eligible for a reward.