Alchemix Transmuter

Summary

StrategyMainnet::_harvestAndReport is a function that should return an accurate and trusted total amount of 'ASSET' the strategy currently holds, including loose funds. However, the issue is that the function also includes the WETH balance, which cannot be claimed by users. This results in inaccurate asset and share value calculations within the vault, leading to a loss of funds.

Attacker can also use this vulnerability to grief users and make them lose their assets.

Vulnerability Details

https://github.com/Cyfrin/2024-12-alchemix/blob/82798f4891e41959eef866bd1d4cb44fc1e26439/src/StrategyMainnet.sol#L172-L192

From the docs:

As seen in the current implementation of _harvestAndReport, the unexchanged variable is added to _totalAssets. The unexchanged variable represents the current balance of the WETH token within the strategy. However, WETH is the underlying token, not an asset, and cannot be withdrawn by users. Including it in the _totalAssets calculation leads to incorrect asset and share price calculations within the vault.

The WETH can be directly transferred to the strategy address, which may lead to unexpected share and asset prices, potentially opening the door to more serious exploits.

This is an edge case that arises when the keeper is configured to call report regularly, even when no deposits are made and no shares are minted. An attacker could exploit this situation, as WETH is not considered an asset.

1. The keeper calls report function.

2. The attacker front-runs it and sends 1 wei of WETH to strategy address.

3. _totalAssets is updated with current value = 1.

4. User deposits alETH into vault and exploits it using very well know "donation attack".

A second, more likely scenario involves an attacker transferring any amount of WETH into the vault at any time. This can cause users to receive more alETH than they should when withdrawing, effectively allowing to steal from the last user in the pool. This is a basic griefing attack that results in a loss of funds for the affected user. The direct transfer of WETH disrupts the vault’s share and asset price calculations.

The attacker can:

1. Deposit into the contract.

2. Directly send WETH.

3. Wait for a user deposit.

4. Withdraw the full amount (attackers alETH + the user's alETH equal to the amount of WETH sent by the attacker).

5. As a result the attacker lost nothing and the user can't withdraw the full deposited amount (skipping fees of course).

6. User can only withdraw the remaining alETH available in the strategy - WETH sent by attacker. The attacker could withdraw full deposited amount.

Impact

Adding balance of WETH into _totalAsstes calculation leads to incorrect prices for users. It can be exploited by an attacker to perform a griefing attack.

It is important to note that this report specifically addresses the vulnerability in the StrategyMainnet contract.

Tools Used

Manual review

Recommended Mitigation

Remove unexchanged from _totalAssets calculation.