Alchemix Transmuter

Summary

In all the strategies, in the _harvestAndReport function, the claimable amount is not accounted for. This can result on user intentionally or accidentally receiving more or less shares than intended.

Vulnerability Details

This is the same _harvestAndReport function throughout the 3 strategies:

This function is called every time the Keepers call the report() function lying in the TokenizedStrategy.sol. This function is repsonsible to correctly update the totalAssets of the vault so the shares get minted/burnt correctly. Not including the claimable amount can cause a lot of problems. The report() functions is a complex one, depending on profitMaxUnlockTime value. This value by default is 10 days and can be changed by the protocol management to a value from 0 to 1 year.

The profitMaxUnlockTime value dictates for how long fake shares exist in the case that report() has a profit for totalAssets compared to the last current totalAssets. If the report increases the totalAssets then some shares are minted to the address of the strategy and eventually get burnt to slowly unlock the profit to avoid big step-wise increases of the assets. However, if the report decreases the totalAssets, then it burns the equivalent shares of that decrease. If there are no more fake shares available to burn, then nothing else happens and the totalAssets just decrease as they would.

Depending on profitMaxUnlockTime there are different issues that can arise from not accounting for the claimable amount.

Let's consider a scenario:

1. Vault gets deployed, bob deposits 2 alETH, receives 2e18 shares and the vault has unexchanged = 2 alETH and claimable = 0 WETH and report() gets called, so _harvestAndReport returns 2e18.

2. Time passes, now vault has unexchanged = 1 alETH and claimable = 1 WETH and report() gets called, so _harvestAndReport returns 1e18. Alice sees this transaction and it's always profitable for her to backrun and deposit her 1 alETH after the report() and get more shares than intended. While with 1 alETH should get 1/3 of the total vault shares, she will actually receive 1/2 of the total vault shares and she does that and gets 2e18 shares.

Also a scenario where profitMaxUnlockTime = 0 is an issue:

1. Vault currently has unexchanged = 1 alETH and claimable = 1 WETH and report() gets called, so totalAssets = 1e18.

2. Time passes, vault has unexchanged = 0.8 alETH and claimable = 1.2 WETH. The claimAndSwap function gets called and then report(), so now all the assets are unexchanged. The report() makes the totalAssets = 2.05e18. An immediate increase of 1.05e18. Users can frontrun this transaction even with a big flash loan and get a huge portion of the shares when totalAssets = 1e18 and backrun withdraw when totalAssets = 2.05e18 to get the majority of the reported profit.

Impact

Not including the claimable amount on the vault's totalAssets can create lots of issues with shares calculations in a lot of different scenarios.

Tools Used

Manual review

Recommendations

Consider also including the claimable amount for the totalAssets but always convert it to the alETH token, since the claimable amount is in WETH token.