Alchemix Transmuter

Alchemix

DeFiFoundrySolidity

16,653 OP

View results

Previous Next

Submission Details

Severity: medium

Invalid

Incomplete implementation of `_harvestAndReport` function

newspacexyz

Summary

The _harvestAndReport function in the StrategyMainnet, StrategyOp, StrategyArb contract does not fulfill its intended purpose as outlined in the Yearn Strategy Writing Guide. According to the guide, this function should:

"Harvest and sell any rewards, reinvest any proceeds, perform any position maintenance and return a full accounting of a trusted amount denominated in the underlying asset the strategy holds."

However, the current implementation of _harvestAndReport:

Does not harvest: It does not claim underlying tokens (WETH) from the Transmuter.
Does not reinvest: It does not perform any swaps or deposits to reinvest idle funds.
Only returns total balance: It merely calculates and returns the sum of unexchanged, asset.balanceOf, and underlyingBalance.

Vulnerability Details

Affected Function:

_harvestAndReport

Root Cause:

The implementation does not include the core harvesting logic, such as:

Claiming rewards or yield (WETH) from the Transmuter.
Swapping or reinvesting proceeds into the yield-generating positions (e.g., depositing alETH into the Transmuter).
Performing position maintenance to optimize strategy performance.

Impact:

The function does not meet its intended purpose, resulting in:

Idle Funds: WETH or other idle assets in the contract remain unutilized, reducing yield generation.
Incomplete Reporting: The total balance returned is accurate only in terms of raw token holdings, but it does not represent optimized capital allocation.
Inefficient Strategy: The strategy does not fully utilize its mechanisms to generate yield, impacting overall performance.

Tools Used

Recommendations

Implement Harvesting Logic:
Add logic to claim rewards or underlying tokens (WETH) from the Transmuter.
Include Reinvestment Mechanism:
After claiming WETH, swap it to alETH (if necessary) and deposit it into the Transmuter to reinvest proceeds.
Perform Position Maintenance:
Implement logic to rebalance or optimize the current positions held by the strategy as part of the harvesting process.

Updates

Appeal created

inallhonesty Lead Judge 10 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Incorrect accounting in `_harvestAndReport` claimable should be included

inallhonesty Lead Judge 10 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Incorrect accounting in `_harvestAndReport` claimable should be included

0xhuntoor Auditor

10 months ago

newspacexyz Submitter

10 months ago

inallhonesty Lead Judge

10 months ago

inallhonesty Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Design choice

Prize pool breakdown

Total prize

16,653 OP

nSLOC

253

66 OP / LOC

High Medium

15,800

Low

853

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.