Alchemix v2 audit, completed in partnership with Runtime Verification

Alchemix Finance
3 min readFeb 8, 2022

--

Following a thorough review of our code and leaving only bytes to spare we’re delighted to present the findings of our Alchemix V2 smart contract audit.

Our work with Runtime Verification began in June of 2021 by doing a thorough review of design considerations for version 2 of both the Alchemist and the Transmuter, the two core elements of the Alchemix protocol. The feedback from this review helped shape the eventual architecture of both pieces, and put us on a path to develop a secure, scalable, pluggable version of the protocol that underwent a thorough audit in November and December of 2021. The results of this audit, and of our continuing partnership with RV, have proven invaluable, and have given us the confidence to launch the next iteration of the Alchemix protocol.

The V2 audit covered the following major contracts:

  • AlchemistV2
  • TransmuterV2
  • TransmuterBuffer
  • AlchemicTokenV2
  • WETHGateway
  • YearnTokenAdapter

the following base contracts:

  • Multicall
  • Mutex
  • SelfPermit
  • Whitelist

and the following libraries:

  • FixedPointMath
  • LiquidityMath
  • Limiters
  • SafeCast
  • Sets
  • Ticks
  • TokenUtils

The issues uncovered by RV fall into 3 tiers of severity: Low, Medium, and High.
Low issues consist of the potential for misconfigurations, the contracts not operating exactly as prescribed, and general informational notes. Medium issues are those that could lead to loss of functionality, loss of funds, or yield manipulation. High issues are those that could break core Alchemist accounting logic, or allow users to steal funds.

Of the 14 Low and 3 High issues, all recommended remedies were applied and reviewed by RV. While 9 of the 11 Medium issues were fixed and reviewed during the course of the audit, 2 (A08 & A09) were fixed after the audit was completed, and are currently being reviewed by RV.

One major design choice of note in Alchemix v2 is that of upgradeability. All 3 major contracts (AlchemistV2, TransmuterV2, and TransmuterBuffer) are built to be used via upgradeable proxies. This entrusts the Alchemix DAO with the ability and responsibility to upgrade the functionality of these pieces as it sees fit.

We know that users, builders, and the rest of the Alchemix community members are itching to get their hands on v2, so we’re looking to roll it out as soon as possible. After careful consideration, the Alchemix core team believes that the last 2 outstanding issues that were raised as a result of the last audit (mentioned above) are worth fixing before launching v2. PR’s are already out for review and the next engagement with RV began February 1st.

If you’d like to read the audit for yourself please use this link.

So, wen V2?

Soon(TM).

VERY soon(TM).

Alchemix | Docs | Discord | YouTube | Twitter | Forum | Github

--

--

No responses yet