Vault's totalAssets are supposed to be in alETH token but WETH tokens get added
Summary
The strategies' _harvestAndReport function is supposed to correctly return the vault's total assets but it also includes the vautl's underlying token amount which doesn't have a 1:1 with the asset, resulting on smaller returns.
Vulnerability Details
This is the strategies' _harvestAndReport function and it is similar throughout the 3 contracts.
As we can see, it is also accounting for "possible dormant WETH that isn't swapped yet". However, WETH doesn't have a 1:1 peg to the vault's asset which is alETH.
Let's consider a scenario where 1 alETH = 0.95 WETH:
Vault holds
10 alETHin unexchanged balance.Vault also has
0.95 WETHthat isn't swapped yet._harvestAndReportwill return10 alETH + 0.95 WETH = 10.95 alETHtotal assets.In reality,
_harvestAndReportshould return11 alETHtotal assets, since1 alETH = 0.95 WETH.
Impact
This function is responsible to accurately update the vault's totalAssets. The totalAssets variable is used during the deposits and withdrawals, so any inaccuracy on this will result on innacurate shares getting minted or assets getting withdrawn.
Tools Used
Manual review
Recommendations
Consider pulling the alETH-WETH ratio from an oracle or a DEX and converting the WETH to alETH according to that price received.
Appeal created
balanceDeployed() and _harvestAndReport() add WETH and alETH, but they have different prices
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.