Accounting can be wrong / misleading if tokens are directly sent to this contract
Summary
in StrategyMainnet, StrategyArb, and StrategyOp, the function balanceDeployedcan have a wrong / misleading accounting value returned if alETHor wETHare directly sent to the contracts. The returned value will include assets that are free radicals and not currently deployed in any way.
Vulnerability Details
Based on the function name, this is supposed to return the total balance of funds that this strategy has deployed - however, the accounting can be wrong and include funds that are not deployed if either underlying or asset tokens are directly sent to this contract.
Impact
It is unclear if this function is just for viewing purposes or if it will be used in any functionality down the line. But if any functionality depends on this functions return value, it could be operating off of a misleading value.
Tools Used
Manual Review
Recommendations
I am unsure where this function will be used but if it is important for critical functionality, where the deployed balance needs to be accurate or else wrong accounting can lead to problems or loss of funds, the internal accounting mechanism for deployed balances needs to not rely of balanceOf checks.
Appeal created
[INVALID] balanceDeployed will return a bad value if someone donates WETH
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.