Alchemix Transmuter
Alchemix
DeFiFoundrySolidity
16,653 OP
View results
Previous Next
Submission Details
Severity: medium
Valid

Incorrect Calculation of _totalAssets in _harvestAndReport Function

davidjohn24

Summary

In the _harvestAndReport function of the contract, the calculation of _totalAssets is incorrect because it includes underlyingBalance directly, without converting it into the final asset token. This misrepresentation could lead to incorrect reporting of the total assets held by the strategy. Instead of directly adding underlyingBalance, the underlying tokens should be swapped into asset before they are included in the total.

Vulnerability Details

https://github.com/Cyfrin/2024-12-alchemix/blob/82798f4891e41959eef866bd1d4cb44fc1e26439/src/StrategyMainnet.sol#L191

underlyingBalance is in the underlying token (e.g., WETH), but the strategy's assets are reported in terms of the final asset token (e.g., ALETH). Therefore, simply adding underlyingBalance directly to _totalAssets without converting it to asset results in an incorrect total.

Impact

The incorrect calculation could lead to improper behavior in other functions that rely on _totalAssets, potentially resulting in faulty decisions regarding fund deployment, withdrawal, or management.

Tools Used

Recommendations

_totalAssets = unexchanged + asset.balanceOf(address(this)) + _swapUnderlyingToAsset(underlying.balanceOf(address(this)));
Updates

Appeal created

inallhonesty Lead Judge 10 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Incorrect accounting in `_harvestAndReport` claimable should be included

inallhonesty Lead Judge 10 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Incorrect accounting in `_harvestAndReport` claimable should be included

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.