Alchemix Transmuter

Alchemix

DeFiFoundrySolidity

16,653 OP

View results

Previous Next

Submission Details

Severity: medium

Valid

Inaccurate accounting in `_harvestAndReport` function (Missing oracle price)

newspacexyz

Summary

The _harvestAndReport function in the StrategyMainnet contract sums the balances of unexchanged, asset.balanceOf(address(this)), and underlyingBalance to calculate the total assets. However, it does not account for the price difference between alETH (synthetic Ether) and WETH (underlying Ether). While both represent Ether, their prices can diverge due to market conditions, leading to inaccurate asset accounting.

_totalAssets = unexchanged + asset.balanceOf(address(this)) + underlyingBalance;

This calculation assumes a 1:1 parity between alETH and WETH, which is not always valid. Without considering price differences, the reported total assets can deviate significantly from the true value.

https://github.com/Cyfrin/2024-12-alchemix/blob/82798f4891e41959eef866bd1d4cb44fc1e26439/src/StrategyOp.sol#L173

https://github.com/Cyfrin/2024-12-alchemix/blob/82798f4891e41959eef866bd1d4cb44fc1e26439/src/StrategyMainnet.sol#L191

https://github.com/Cyfrin/2024-12-alchemix/blob/82798f4891e41959eef866bd1d4cb44fc1e26439/src/StrategyArb.sol#L170

Vulnerability Details

The function assumes that the prices of alETH and WETH are always the same, but in practice, synthetic assets can diverge from their underlying counterparts due to:

Market Dynamics: alETH might trade at a premium or discount to WETH.
Conversion Delays: The Transmuter may not convert synthetic tokens into their underlying equivalents instantly, leading to temporary price discrepancies.
Liquidity Variations: Market liquidity for alETH and WETH can differ, further exacerbating price divergence.

As a result, summing the token balances without converting them using an accurate price feed results in incorrect accounting.

Impact

Inaccurate Reporting: The _harvestAndReport function may report incorrect total asset values, affecting strategy performance metrics.
Mismanagement Risk: Strategies relying on this function for decision-making could mismanage funds due to inaccurate data.

Tools Used

Recommendations

Incorporate Oracle Prices:
Use a reliable on-chain oracle to fetch the current exchange rate between alETH and WETH.
Use a Unified Accounting Framework:
Normalize all balances (unexchanged, asset.balanceOf, and underlyingBalance) to the same unit (e.g., WETH) before summing.

Updates

Appeal created

inallhonesty Lead Judge 5 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Incorrect accounting in `_harvestAndReport` claimable should be included

inallhonesty Lead Judge 5 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Incorrect accounting in `_harvestAndReport` claimable should be included

inallhonesty Lead Judge 5 months ago

Submission Judgement Published

Validated

Assigned finding tags:

balanceDeployed() and _harvestAndReport() add WETH and alETH, but they have different prices

Prize pool breakdown

Total prize

16,653 OP

nSLOC

253

66 OP / LOC

High Medium

15,800

Low

853

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.