Summary

In StrategyMainnet , StrategyArb, StrategyOp, the function _harvestAndReport - is stated in the documentation to

But the function in all three contracts does not harvest the claimablerewards , it only checks the claimable balance of the the rewards, but does not harvest them and withdraw them. This leads to an innacurate accounting of total assets.

Vulnerability Details

This function states that it should harvest all rewards, so to pull the rewards from the transmuter to this contract so that they can be included in the accounting. But the rewards are never accounted for. Each of the three contracts gets the claimablebalance (which are the rewards in underlyingtoken that should be harvested as per documentation); But the claimablebalance is never actually harvested, so it isnt included in the _totalAssetsbalance that is returned.

Impact

I am unsure as to where this function is going to be used in the overall protocol, but if the return value of _totalAssetsis used in a critical function that requires an accurate accounting of the value, the critical function will operate off of an innacurate value and thus potentially causing significant miscalculations and transactions, also further accounting issues.

Tools Used

Recommendations

Pull the claimable amount of weth (underlying) rewards from the transmuter to this contract before fulfilling the total accounting.

There is this line of code that is supposed to pull the rewards, but it is commented out.

if (claimable > 0) { // transmuter.claim(claimable, address(this)); }

This should be actually ran, which would add the rewards to the underlyingBalance , which is then used in the _totalAssets variable which is the returned value of all of the assets. Because underlyingBalanceis used to represent the total weth(underlying token), the rewards need to be harvested and claimed so that they are included in the underlyingBalanceat the time of calculation of _totalAssets