Alchemix Credit Accounting Bug Report
The Alchemix team (and concurrently, 2 white-hat’s via immunifi) found an edge case in some accounting logic that currently affects a small number of protocol users.
The issue affects user credit in the Alchemist smart contracts. To be clear, this is not an exploit and has minor consequences to almost all of those affected. Only in specific cases where a particular combination of user actions have taken place will the bug have impacted a user account.
The following is a breakdown of the issue, the current effects, and how we will be moving forward to ameliorate the situation.
The Bug
The issue in question occurs when a user has pending credit and calls any function that updates their CDP except mint (deposit, withdraw, liquidate, repay). The bad accounting logic exists on line 39 of CDP.sol, a library used by the Alchemist.
Here, cdp[user].totalCredit is set to their pending credit minus their current debt, while it should be set to their current credit plus their pending credit minus their current debt.
The issue will arise in the following scenario:
Alice deposits collateral (DAI) into the Alchemist.
Alice gains a positive pending credit due to harvested yield.
Alice deposits or withdraws collateral to/from the Alchemist.
After step 3, Alice will no longer be able to mint the extra credit that she had obtained. Alice would need to mint said credit as soon as it is available (ie. between steps 2 and 3) in order to realize it. This is because any function that touches a user’s CDP will update their CDP before doing anything else. As seen above, cdp.update() applies any pending credit to the cdp, but does not add their current cdp.totalCredit to that number first.
The Effects
The total amount of outstanding credit at time of writing was 24505.00 alUSD and 3.55 alETH.
The largest amount of outstanding credit in any account was 4702.76 alUSD and 1.91 alETH.
There are currently 601 alUSD users and 183 alETH users with the potential to be affected in some way, but the UI changes outlined below have mitigated this risk.
Resolution
The Alchemist contracts are immutable, and cannot be upgraded in their current form. However, this bug does not currently affect a large number of users, and Alchemix V2 is on the horizon, so we do not think deploying new Alchemist V1 contracts is appropriate at this time.
An alert has been added to the UI to inform users when they have a pending credit. This alert will notify users of the bug and instruct them to mint any available credit before taking further action that would update their CDP. This will help to ensure that users do not lose any pending credit that they are entitled to.
Users who have been affected have been reimbursed for at least the value that they lost as a result of this bug, with a floor of 0.0042069 ETH and 16.9420 DAI. The funds have been sent to their wallets.
The UI has been modified to prevent users from performing actions that would trigger this bug. It is possible to stop the warnings that prevent the bug from occurring, but users should be aware that if they disable the warnings and proceed to allow the bug to affect them Alchemix will not reimburse anybody going forward.
Links to reimbursement transactions:
DAI: https://etherscan.io/tx/0x405f5d9d13abf5e23f8176a966c89e42bee561cf78ee76f682437f08823ed87a
ETH: https://etherscan.io/tx/0x997d482fd1bebdbc3efab9b012eecd0812d22fbbf259b4cdf5a935d8004aeea2
