Alchemix Transmuter

Alchemix

DeFiFoundrySolidity

16,653 OP

View results

Previous Next

Submission Details

Severity: medium

Valid

Underlying tokens (WETH) are locked in contract without conversion to `alETH`

newspacexyz

Summary

In the StrategyMainnet contract, the claimAndSwap function only swaps claimed underlying tokens (WETH) to alETH, rather than the entire WETH balance held by the contract. Additionally, the _harvestAndReport function does not perform any swaps or deposits. As a result, any existing WETH balance in the contract remains unconverted and locked, with no mechanism for the admin to deposit it as alETH into the Transmuter.

https://github.com/Cyfrin/2024-12-alchemix/blob/82798f4891e41959eef866bd1d4cb44fc1e26439/src/StrategyMainnet.sol#L92-L113

https://github.com/Cyfrin/2024-12-alchemix/blob/82798f4891e41959eef866bd1d4cb44fc1e26439/src/StrategyMainnet.sol#L172-L192

This issue happens also in StrategyArb, StrategyOp.

Vulnerability Details

claimAndSwap:
- Only swaps the WETH claimed from the Transmuter during the claim step, ignoring any other WETH held in the contract.
_harvestAndReport:
- Does not include any logic to swap the WETH balance or deposit it as alETH into the Transmuter.

Root Cause:

There is no mechanism in the contract to handle existing WETH (underlying tokens) held by the contract.
The absence of a process to convert or utilize the WETH balance leads to it being indefinitely locked within the contract.

Impact

Locked Capital:
- Any WETH held in the contract is effectively unusable, leading to inefficiencies and loss of potential yield.
Admin Inability to Deposit WETH:
- Even if the admin wants to convert WETH to alETH and deposit it into the Transmuter, the contract does not provide a mechanism to do so.
Reduced Yield Optimization:
- Without converting WETH to alETH and depositing it, the strategy cannot fully optimize its yield.

Tools Used

Recommendations

Add Functionality to Swap and Deposit Idle WETH:
- Introduce a function to convert the entire WETH balance held by the contract to alETH and deposit it into the Transmuter.
Incorporate Swapping in _harvestAndReport:
- Modify _harvestAndReport to include logic for swapping any idle WETH to alETH and depositing it into the Transmuter.

Updates

Appeal created

inallhonesty Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

inallhonesty Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

newspacexyz Submitter

10 months ago

inallhonesty Lead Judge

10 months ago

inallhonesty Lead Judge 10 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Dormant WETH is not properly treated

Prize pool breakdown

Total prize

16,653 OP

nSLOC

253

66 OP / LOC

High Medium

15,800

Low

853

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.