Submission Details
Severity:
`claimable` amount is not accounted for in `_harvestAndReport` function
Summary
_harvestAndReport function does not account for claimable amount
Vulnerability Details
As per the natspec of _harvestAndReport function, all funds should be accounted and returned including "rewards":
* @dev Internal function to harvest all rewards, redeploy any idle
* funds and return an accurate accounting of all funds currently
* held by the Strategy.
However _harvestAndReport does not take claimable amount in consideration:
function _harvestAndReport()
internal
override
returns (uint256 _totalAssets)
{
uint256 claimable = transmuter.getClaimableBalance(address(this));
uint256 unexchanged = transmuter.getUnexchangedBalance(address(this));
// NOTE : possible some dormant WETH that isn't swapped yet
uint256 underlyingBalance = underlying.balanceOf(address(this));
_totalAssets = unexchanged + asset.balanceOf(address(this)) + underlyingBalance;
}
Impact
This returns inaccurate locked amount through the BaseStrategy::harvestAndReport function.
Tools Used
Manual Review
Recommendations
Add claimable amount when returning _totalAssets in _harvestAndReport function.
Updates
Appeal created
inallhonesty 11 months ago
Submission Judgement Published Assigned finding tags:
Incorrect accounting in `_harvestAndReport` claimable should be included
Prize pool breakdown
Total prize
16,653 OP
nSLOC
25366
OP / LOC
15,800
853
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.