Audit Comp | Alchemix-logo

Audit Comp | Alchemix

veALCX is the tokenomics upgrade for ALCX, Alchemix's governance token. Users will lock 80/20 ALCX/ETH Balancer Liquidity Tokens into veALCX in exchange for voting power, ALCX emissions, and protocol revenue. Voting power is used to vote on snapshot proposals, on-chain governance of veALCX contracts, and gauge voting to direct ALCX emissions. veALCX users also earn a new ecosystem token called FLUX that allows for boosted gauge voting and early unlocks.

Status

Finished
Rewards Pool
$125,000
Vault TVL
To be determined
Started
30 April 2024
Ended
21 May 2024
Rewards Token
USDC
nSLOC
3,181
  • Triaged by Immunefi

  • PoC required

Select the category you'd like to explore

Assets in Scope

Target
Primacy Of Impact
Type
Smart Contract
Added on
6 May 2024
Target
Type
Smart Contract - RevenueHandler.sol - 183
Added on
30 April 2024
Target
Type
Smart Contract - RewardsDistributor.sol - 286
Added on
30 April 2024
Target
Type
Smart Contract - VotingEscrow.sol - 887
Added on
30 April 2024
Target
Type
Smart Contract - Minter.sol - 124
Added on
30 April 2024
Target
Type
Smart Contract - BaseGauge.sol - 49
Added on
30 April 2024
Target
Type
Smart Contract - Voter.sol - 335
Added on
30 April 2024
Target
Type
Smart Contract - RewardPoolManager.sol - 102
Added on
30 April 2024
Target
Type
Smart Contract - FluxToken.sol - 152
Added on
30 April 2024
Target
Type
Smart Contract - CurveMetaPoolAdapter.sol - 30
Added on
30 April 2024
Target
Type
Smart Contract - CurveEthPoolAdapter.sol - 34
Added on
30 April 2024
Target
Type
Smart Contract - Bribe.sol - 256
Added on
30 April 2024

Impacts in Scope

Proof of Concept (PoC) Requirements

A PoC, demonstrating the bug's impact, is required for this program and has to comply with the Immunefi PoC Guidelines and Rules.

Whitehat Educational Resources & Technical Info

Is this an upgrade of an existing system? If so, which? And what are the main differences?

This is a brand-new system to Alchemix, but is an upgrade of Velodromes veVELO (which is an upgrade of solidly’s vote-escrow system). The primary differences are:

  • Alchemix is not a DEX, and therefore sends a majority of ALCX to external locations such as incentives for 3rd party DEX pools, and vote incentives on platforms such as votium, votemarket, etc. Therefore, the system requires both external and internal gauges (ie, gauges that send ALCX to 3rd party and internal contracts).
  • Alchemix has introduced a “continuous max lock” boolean that may be enabled to prevent decay in voting power and remaining lock time (thus eliminating the need to manually re-lock a position constantly)
  • Alchemix has added the FLUX token, which is earned by veALCX lockers. Accrued FLUX credit can be burned to boost gauge voting power. Alternatively, credit can be burned to mint an ERC20 version of FLUX. The FLUX ERC20 is tradeable, and can be used to unlock a veALCX position early. The ERC20 can NOT be used to boost gauge voting power.
  • Alchemix has created a system by which any veALCX revenue asset can be whitelisted to be converted to alAssets to repay users’ debt so long as there is a direct swap path. Assets that are not whitelisted will be passed through directly to veALCX users.

Where do you suspect there may be bugs?

  • Which parts of the code are you most concerned about?

The highest concern is in the accounting of bribes, including ensuring the total supply is tracked correctly.

  • What attack vectors are you most concerned about?

Any attack that would artifically inflate a user’s claim on bribes, rewards, or a user’s voting power, or any other means by which bribes and rewards could be stolen.

  • Which part(s) of the system do you want whitehats to attempt to break the most?

The rewards distributor and voting system has the most complexity and handles bribes which could be a variety of assets as well as tracking voting

  • Are there any assumed invariants that you want whitehats to attempt to break?
    • A user should never be able to claim more bribes than they have earned
    • A user should never be able to claim more revenue than they have earned
    • A user should never be able to claim more rewards than they have earned
    • A user should never be able to vote with more power than they have

What ERC20 / ERC721 / ERC777 / ERC1155 token standards are supported? Which are not?

ERC20, ERC721, ERC4626

What monitoring systems may you want to use as a reason to invalidate or downgrade an otherwise valid bug report?

None.

What Roles are there, and what capacities do they have?

users - veALCX holders: can create new veALCX tokens, vote, claim bribes, claim rewards (ALCX), claim revenue, claim / burn / boost vote with FLUX delegates - addresses veALCX holders approved to act on their behalf admin - address (governance) that can update system state variables as needed

Which Roles are trusted roles and what privileges do they hold?

admin - address (governance) that can update system state variables as needed.

Are there trusted roles for which you would consider any bugs invalid, even if the roles are not intended to have that capacity?

Any malicious behavior that an admin can execute is acknowledged and invalid since the assumption is that admin will be a trusted party

What external dependencies are there?

Balancer pool - 0xf16aEe6a71aF1A9Bc8F56975A4c2705ca7A782Bc

Aura pool - 0x8B227E3D50117E80a02cd0c67Cd6F89A8b7B46d7

ALCX/ETH price feed - 0x194a9AaF2e0b67c35915cD01101585A33Fe25CAa

Where might whitehats confuse out-of-scope code to be in-scope?

The Balancer pool and Aura pools are out of scope and are acknowledged as a third-party pool integration.

Dependencies should be audited to verify they are being referenced and utilized correctly, but the dependencies themselves do not need to be audited (ie, it should be assumed the dependencies function as intended). For example, it should be assumed the Balancer Pool Token always represents 80% balance of ALCX and a 20% balance of ETH that tracks the initial deposit.

Are there any unusual points about your protocol that may confuse whitehats?

Voting power decay over time. If a user does not update their vote their voting power remains constant, however, they will not be eligible for future bribes or FLUX earnings until they vote. This is considered when accounting for the distribution of Bribes in a given Epoch.

Rewards claiming with the Alchemists. If a user has an open debt position in an Alchemist (alETH, alUSD) they can claim revenue that pays off the debt in a given position, so long as that revenue asset is whitelisted to be swapped to the alAsset.

Aura rewards with ALCX-BPT. Deposits are sent to the Aura rewards pool when a user creates a veALCX position. VotingEscrow.sol accounts for this and manages the deposit and withdrawal when a user deposits or withdrawals from the VotingEscrow.sol contract.

Users can boost their vote only with unclaimed FLUX. Once FLUX has been claimed it can only be used to unlock a veALCX token early. It is intentional that it requires longer than the period their token is locked to accrue enough FLUX to unlock a veALCX position early.

What is the test suite setup information?

https://github.com/alchemix-finance/alchemix-v2-dao/blob/main/README.md

Which chains are the smart contracts going to be deployed to?

ETH Mainnet

Public Disclosure of Known Issues

Bug reports covering previously discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk.

  • Ambiguous Proposal Executions via the TimelockController are acknowledged and a part of the governance management system.
  • We are assuming that the price of the alAsset will always be at or below the price of the revenue token. This is currently a safe assumption since this imbalance has always held true for alUSD and alETH since their inception

Previous Audits

Alchemix’s completed audit reports can be found at https://drive.google.com/file/d/1YsO1t1-hSK1wkHajT_GAZ-u35O1Su74X/view?usp=sharing. Any unfixed vulnerabilities mentioned in these reports are not eligible for a reward.

Severity
Critical
Title

Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results

Severity
Critical
Title

Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield

Severity
Critical
Title

Direct theft of any user NFTs, whether at-rest or in-motion, other than unclaimed royalties

Severity
Critical
Title

Permanent freezing of funds

Severity
Critical
Title

Permanent freezing of NFTs

Severity
Critical
Title

Unauthorized minting of NFTs

Severity
Critical
Title

Predictable or manipulable RNG that results in abuse of the principal or NFT

Severity
Critical
Title

Unintended alteration of what the NFT represents (e.g. token URI, payload, artistic content)

Severity
Critical
Title

Protocol insolvency

Severity
High
Title

Theft of unclaimed yield

Severity
High
Title

Theft of unclaimed royalties

Severity
High
Title

Permanent freezing of unclaimed yield

Out of scope

Program's Out of Scope information

These impacts are out of scope for this bug bounty program.

All Categories:

  • Impacts requiring attacks that the reporter has already exploited themselves, leading to damage
  • Impacts caused by attacks requiring access to leaked keys/credentials
  • Impacts caused by attacks requiring access to privileged addresses (governance, strategist) except in such cases where the contracts are intended to have no privileged access to functions that make the attack possible
  • Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code
  • Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production
  • Best practice recommendations
  • Feature requests
  • Impacts on test files and configuration files unless stated otherwise in the bug bounty program

Blockchain/DLT & Smart Contract Specific:

  • Incorrect data supplied by third party oracles
    • Not to exclude oracle manipulation/flash loan attacks
  • Impacts requiring basic economic and governance attacks (e.g. 51% attack)
  • Lack of liquidity impacts
  • Impacts from Sybil attacks
  • Impacts involving centralization risks

Prohibited Activities:

  • Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet
  • Any testing with pricing oracles or third-party smart contracts
  • Attempting phishing or other social engineering attacks against our employees and/or customers
  • Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
  • Any denial of service attacks that are executed against project assets
  • Automated testing of services that generates significant amounts of traffic
  • Public disclosure of an unpatched vulnerability in an embargoed bounty