Summary

The strategy incorrectly includes WETH balance in total assets calculation without price conversion, leading to potential accounting errors. All strategies have the same faulty implementation.

According to Yearn's TokenizedStrategy documentation:

"Care should be taken when relying on oracles or swap values rather than actual amounts as all Strategy profit/loss accounting will be done based on this returned value."

Also the EIP-4626 specification:

"All ERC-4626 token amounts and calculations MUST be denominated in terms of shares."

Vulnerability Details

Problem is in _harvestAndReport(), raw WETH balance is added directly to alETH amounts:

https://github.com/Cyfrin/2024-12-alchemix/blob/82798f4891e41959eef866bd1d4cb44fc1e26439/src/StrategyArb.sol#L170

Notice the natspec about the return:

The implementation fails both by:

1. Adding WETH (underlying) directly to alETH (asset) balances without price conversion.

2. Ignoring the Transmuter's flow rate limitations which restrict how quickly WETH can actually be converted to alETH.

Let's explore one attack vector that can be used:

1. Monitor strategy for large WETH claims

2. Deposit when WETH balance is low(because share price is incorrectly dilluted)

3. Wait for large WETH claim to artificially inflate share price

4. Exit position at inflated valuation

5. Repeat to extract value

Impact

• Inflated share prices during large WETH holdings

• Immediate profitability from accounting mismatch

• Wrong price-per-share computation affecting all users

Tools Used

Manual Review

Recommendations

Either remove the WETH balance from the sum or include the WETH balance converted to alETH price.