Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No incentive to call transmute() instead of forceTransmute(self) #68

Open
code423n4 opened this issue Nov 18, 2021 · 1 comment
Open

No incentive to call transmute() instead of forceTransmute(self) #68

code423n4 opened this issue Nov 18, 2021 · 1 comment
Labels
1 (Low Risk) Assets are not at risk. State handling, function incorrect as to spec, issues with comments bug Something isn't working sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons wont fix

Comments

@code423n4
Copy link
Contributor

Handle

cmichel

Vulnerability details

The difference between the Transmuter.transmute function and calling forceTransmute(self) on the own account is that transmute reallocates any excess yield to all other stakers, while forceTransmute pays out the excess yield to the user.

"One interesting side effect of this process is that a user's position can be over-filled. For example, a user deposits 1000 alUSD, and some time later, that staking position will have 1050 DAI filled. Once a user has gone past this limit, it is possible for other users to initialize a claim on their behalf. For any balance of DAI over their staked alUSD, the user who claimed on their behalf will have that surplus in amount immediately convert their staked alUSD." (forceTransmute) vs " If the person who staked the alUSD claims their DAI with a surplus, the surplus will be cycled back into the Transmuter and be spread globally." (transmute) https://alchemix-finance.gitbook.io/alchemix-finance/transmuter

Impact

There doesn't seem to be an economic incentive for rational agents to call transmute instead of just force-transmuting themselves.

Recommended Mitigation Steps

Remove the transmute function or remove forceTransmute and make its behavior the default for transmute.
@code423n4 code423n4 added 1 (Low Risk) Assets are not at risk. State handling, function incorrect as to spec, issues with comments bug Something isn't working labels Nov 18, 2021
code423n4 added a commit that referenced this issue Nov 18, 2021
@code423n4
cmichel issue #68
c71b961
@Xuefeng-Zhu Xuefeng-Zhu added the sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons label Dec 1, 2021
@Xuefeng-Zhu
Copy link
Collaborator

forceTransmute require wait for a longer time, so it is not equivalent totransmute

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
1 (Low Risk) Assets are not at risk. State handling, function incorrect as to spec, issues with comments bug Something isn't working sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons wont fix
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Xuefeng-Zhu @code423n4