The value returned by the balanceDeployed() and _harvestAndReport() is inaccurate.
Summary
The value returned by the balanceDeployed() function and _harvestAndReport() of strategy(StrategyOp,StrategyMainnet,StrategyArb) is inaccurate.
Vulnerability Details
The value returned by the balanceDeployed() directly sums the amounts of wETH and alETH where There is a proportional conversion relationship between alETH and WETH。As follows,transmuter.getUnexchangedBalance(address(this)) returns amount of AlETH,underlying.balanceOf(address(this)) returns amount of WETH,asset.balanceOf(address(this)) returns amount of AlETH。
function balanceDeployed() public view returns (uint256) {
return transmuter.getUnexchangedBalance(address(this)) + underlying.balanceOf(address(this)) + asset.balanceOf(address(this));
}
_harvestAndReport() function has the same problem
Impact
misleading customers.
Tools Used
just code review
Recommendations
There are two solutions, I prefer the second one.
Using router to convert the amount of ETH to the amount of ALETH(IRamsesRouter in StrategyArb, IVeloRouter in StrategyOp, ICurveRouterNG in StrategyMainnet)
balanceDeployed() and _harvestAndReport() return the two amounts(WETH and ALETH) separately.
Appeal created
balanceDeployed() and _harvestAndReport() add WETH and alETH, but they have different prices
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.