Incorrect Balance Calculation in `balanceDeployed` in `StrategyOp.sol`
Summary
The balanceDeployed function in the contract calculates the total deployed balance by summing the underlying token (e.g., WETH) balance and the asset token (e.g., alETH) balance directly without considering their conversion rates.
This approach can lead to an overstatement or understatement of the strategy's total value.
Vulnerability Details
The balanceDeployed function calculates the total balance as follows:
The underlying token balance is directly added to the asset token balance without converting the underlying value into the equivalent asset value using a conversion rate.
Since the values of the underlying and asset tokens can differ, the total balance calculation may misrepresent the actual value held by the strategy.
Impact
This incorrect calculation can mislead stakeholders or automated systems relying on the balanceDeployed value for decision-making.
Recommendations
To ensure accurate calculations, the underlying balance should be converted to its equivalent asset value using the current conversion rate.
This can be achieved by integrating an oracle or another reliable mechanism to fetch the conversion rate.
Appeal created
balanceDeployed() and _harvestAndReport() add WETH and alETH, but they have different prices
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.