Alchemix v2 audit and reviewed code fixes

Posted on August 11th, 2022 by Runtime Verification
Posted in Audits

Alchemix v2 audit and reviewed code fixes

Runtime Verification started working with Alchemix back in summer 2021, assisting the team with design and security concerns in the early days of v2 development. In the months that followed, both teams worked closely to improve the contract's design and code; this was followed by a full, thorough code audit before the v2 launch to reduce risk even further. The v2 audit lasted for seven weeks and a report was delivered on January 13th, 2022.

The v2 audit scope was limited to the Solidity source code of a large set of contracts constituting the v2 protocol's core system, including the "AlchemistV2", "AlchemicToken", "TransmuterV2" and "TransmuterBuffer" smart contracts. The scope also included additional contracts from the protocol's core and a limited selection of libraries but excluded any external contracts. A detailed list of the audited contracts and libraries can be found in the report. Some of the issues raised during the audit led the Alchemix team to make large changes to the code base, focusing on two major fixes: to prevent big investors from getting unfair advantage, and to ensure that a Transmuter always has the funds to pay its claims even if the yield token supporting it unexpectedly loses value. This required some clever reengineering of their contracts.

After an audit, projects usually don't undergo an additional full review to check if the new code changes introduced a new exploit scenario; many changes are only reviewed lightly if at all. The Alchemix team decided to start a new engagement with Runtime Verification to properly review all the code changes following the audit to have better assurance that the code will continue to behave as expected, and that no exploitable scenarios were introduced by these changes. Also, a review of token integrations which the team is currently working on was conducted.

In addition, a series of invariants identified in the v2 audit were encoded in Solidity. This allows the Alchemix team to demonstrate via fuzz-testing that the invariants are held as true when changes to the code are introduced, or when new integrations are added.

After working with Alchemix for almost a year on numerous engagements, we can confidently say that the Alchemix team is an example to follow on how to approach security; they seek to always minimize potential attack vectors through design consultation, modeling, auditing, and other best security practices. Make sure to follow Alchemix and Runtime Verification on Twitter to not miss any news as they continue to secure the future of the Alchemix protocol.