Alchemix Transmuter

Alchemix

DeFiFoundrySolidity

16,653 OP

View results

Previous Next

Submission Details

Severity: medium

Valid

Incomplete `_harvestAndReport` Implementation Can Misreport Strategy Assets

jesjupyter

Summary

The _harvestAndReport function is intended to accurately reflect a strategy’s total assets by claiming all rewards, selling them, and redepositing the proceeds.

However, in its current implementation, this function does not perform these critical operations. Furthermore, the _totalAssets calculation does not account for WETH stored in the transmuter, leading to an undervaluation of the strategy’s assets. This misreporting can cause the strategy to appear as if it has incurred losses, leading to a lower price per share and potential losses for users who withdraw their funds.

Vulnerability Details

When report is called, it is expected to accurately account for the strategy’s total assets, including deployed, loose, and unclaimed rewards:

// Tell the strategy to report the real total assets it has.

// It should do all reward selling and redepositing now and

// account for deployed and loose `asset` so we can accurately

// account for all funds including those potentially airdropped

// and then have any profits immediately locked.

uint256 newTotalAssets = IBaseStrategy(address(this))

.harvestAndReport();

The _harvestAndReport implementation, however, does not claim rewards, sell them, or reinvest them as intended:

function _harvestAndReport()

internal

override

returns (uint256 _totalAssets)

{

uint256 claimable = transmuter.getClaimableBalance(address(this));

if (claimable > 0) {

// transmuter.claim(claimable, address(this));

}

// NOTE : we can do this in harvest or can do seperately in tend

// if (underlying.balanceOf(address(this)) > 0) {

// _swapUnderlyingToAsset(underlying.balanceOf(address(this)));

// }

uint256 unexchanged = transmuter.getUnexchangedBalance(address(this));

// NOTE : possible some dormant WETH that isn't swapped yet

uint256 underlyingBalance = underlying.balanceOf(address(this));

_totalAssets = unexchanged + asset.balanceOf(address(this)) + underlyingBalance;

}

Incomplete Reward Handling:
• The function skips the actual claiming of rewards (transmuter.claim).
• Any subsequent steps, such as selling rewards and redepositing the proceeds, are also omitted.
Incorrect Asset Calculation:
• The _totalAssets calculation does not include dormant WETH stored in the transmuter.
• This omission undervalues the total assets of the strategy.

The undervalued _totalAssets results in:

A false assumption that the strategy has experienced losses.
A reduced price per share, penalizing users who withdraw during this period.

Impact

Users who withdraw funds after a misreported report call may suffer losses due to the artificially lowered price per share. This misalignment between reported and actual assets undermines user trust and could discourage participation in the strategy.

Tools Used

Manual

Recommendations

To mitigate this issue, it is recommended to Complete the _harvestAndReport Logic.

Updates

Appeal created

inallhonesty Lead Judge 10 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Incorrect accounting in `_harvestAndReport` claimable should be included

Prize pool breakdown

Total prize

16,653 OP

nSLOC

253

66 OP / LOC

High Medium

15,800

Low

853

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.