Alchemix Transmuter

Alchemix

DeFiFoundrySolidity

16,653 OP

View results

Previous Next

Submission Details

Severity: medium

Valid

Incomplete implementation of `_harvestAndReport` function in Strategy contracts

zanderbytexyz

https://github.com/Cyfrin/2024-12-alchemix/blob/82798f4891e41959eef866bd1d4cb44fc1e26439/src/StrategyArb.sol#L157

https://github.com/Cyfrin/2024-12-alchemix/blob/82798f4891e41959eef866bd1d4cb44fc1e26439/src/StrategyMainnet.sol#L181

## Summary

The `_harvestAndReport` function in `StrategyArb` and `StrategyMainnet` fails to execute the claiming of the rewards and redeploy iddle funds. This contradicts the intended purpose of the function, as stated in its comments.

## Vulnerability Details

The `TokenizedStrategy::report()` function relies on `_harvestAndReport` to provide an accurate accounting of all assets, including realized rewards and redeployed funds.According to the comments in the `report()` function:

```solidity

// Tell the strategy to report the real total assets it has.

@> // It should do all reward selling and redepositing now and

// account for deployed and loose `asset` so we can accurately

// account for all funds including those potentially airdropped

// and then have any profits immediately locked.

uint256 newTotalAssets = IBaseStrategy(address(this))

.harvestAndReport();

```

However, in the current implementation, key operations for claiming and swapping are commented out:

In `StrategyArb` and `StrategyMainnet`:

```solidity

function _harvestAndReport()

internal

override

returns (uint256 _totalAssets)

{

...

if (claimable > 0) {

@> // transmuter.claim(claimable, address(this));

}

// NOTE : we can do this in harvest or can do seperately in tend

// if (underlying.balanceOf(address(this)) > 0) {

@> // _swapUnderlyingToAsset(underlying.balanceOf(address(this)));

// }

...

}

```

Additionally, this logic is missing completely in `StrategyOp.sol`

These omissions prevent `_harvestAndReport` from fulfilling its intended purpose

## Impact

Broken functionality

## Tools Used

Manual review

## Recommendations

1. Uncomment the `transmuter.claim(claimable, address(this));` line in the `_harvestAndReport` function in both `StrategyArb` and `StrategyMainnet` to ensure that rewards are claimed as part of the harvesting process.

2. Uncomment and and correctly configure the `_swapUndelyingToAsset` function.

3. Implement reward claiming and redeploying logic in `StrategyOp`, as it is entirely missing.

Updates

Appeal created

inallhonesty Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Design choice

zanderbytexyz Submitter

10 months ago

inallhonesty Lead Judge

10 months ago

inallhonesty Lead Judge 10 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Incorrect accounting in `_harvestAndReport` claimable should be included

Prize pool breakdown

Total prize

16,653 OP

nSLOC

253

66 OP / LOC

High Medium

15,800

Low

853

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.