Missing Utilization of `claimable` in _harvestAndReport Results in Inaccurate Asset Reporting
Summary
The _harvestAndReport function in all contracts fails to account for the claimable balance retrieved from the transmuter when calculating the total assets. This omission results in an underestimation of the strategy's total assets and may lead to inaccurate reporting of the strategy's financial state.
Vulnerability Details
In _harvestAndReport, the claimable balance is retrieved from the transmuter:
However in both StrategyOp and StrategyArb this claimable amount is not included in the _totalAssets calculation:
In StrategyMainnet we have
claimable still not reported as per the docs in _harvestAndReport
Impact
This issue causes the strategy's total assets are underreported, which could mislead management and stakeholders about the strategy's financial health.
This likelihood of the issue is high as it's everytime this function is called, the assets are underreported, also this function is called before shutting down a strategy as per the comments in L320 a miscalculation can leave funds stuck.
I believe all these points are strong arguments for a medium severity
Tools Used
Manual Review
Recommendations
A possible mitigation for StrategyMainnet Harvest rewards from the transmuter so that the balance is included in asset.balanceOf(address(this))
Appeal created
Incorrect accounting in `_harvestAndReport` claimable should be included
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.