Alchemix Transmuter

Summary

In the StrategyMainnet, StrategyArb, StrategyOp contract, the balanceDeployed and _harvestAndReport functions calculate total balances by summing unexchanged, asset.balanceOf(address(this)), and underlyingBalance. However, this accounting is unnecessary and potentially misleading because:

1. The strategy does not maintain any idle underlying Ether (WETH), as all claimed WETH is immediately swapped to alETH and deposited into the Transmuter.

2. The strategy never holds a balance of uninvested WETH, so accounting for underlyingBalance is redundant.

This results in unnecessary complexity and an inaccurate representation of the strategy's actual deployed assets.

Vulnerability Details

Affected Functions:

1. balanceDeployed:

   • Returns the sum of unexchanged, asset.balanceOf(address(this)), and underlyingBalance:

     return transmuter.getUnexchangedBalance(address(this)) + underlying.balanceOf(address(this)) + asset.balanceOf(address(this));

   • This unnecessarily includes underlyingBalance, which is always zero because WETH is immediately swapped to alETH and deposited.

2. _harvestAndReport:

   • Similarly calculates total assets without considering that idle WETH never exists in the contract:

     _totalAssets = unexchanged + asset.balanceOf(address(this)) + underlyingBalance;

   • This creates redundant and incorrect reporting for total assets.

Root Cause:

• The contract logic ensures that claimed WETH is always swapped and deposited, so there is no need to account for idle WETH.

• Both functions unnecessarily include underlyingBalance in their calculations.

Impact

1. Redundant Accounting:

   • The inclusion of underlyingBalance and asset.balanceOf(address(this)) results in redundant calculations.

2. Misleading Reporting:

   • The reported total assets suggest the possibility of idle WETH, which is not the case in this strategy.

3. Unnecessary Complexity:

   • The accounting logic complicates function implementations without adding value.

Tools Used

Recommendations

1. Simplify balanceDeployed Function:
   Remove the unnecessary inclusion of underlyingBalance and directly return the unexchanged alETH balance from the Transmuter and the current alETH balance.

2. Refactor _harvestAndReport:
   Modify _harvestAndReport to remove redundant calculations and directly report the sum of unexchanged alETH and the alETH balance held in the contract.