The function _harvestAndReport() is not implemented correctly and it will cause the loss of fees due to the protocol
Summary
Protocol and performances fees will never be collected because of incorrect implementation of the _harvestAndReport function, notably the harverst part.
Vulnerability Details
The vulnerability is in the following method :
The function must implement the following specification from :
https://docs.yearn.fi/developers/v3/strategy_writing_guide
Called during every report. This should harvest and sell any rewards, reinvest any proceeds, perform any position maintenance and return a full accounting of a trusted amount denominated in the underlying asset the strategy holds.
As the claim and swap functions are commented, when the function report will be called( https://github.com/yearn/tokenized-strategy/blob/9ef68041bd034353d39941e487499d111c3d3901/flattened/FlatTokenizedStrategy.sol#L2413)
the function harverstReport will returns a newTotalAssets amount equal to oldTotalAssets so the performance fee and protocol could never been accessed due to the following line :
if (newTotalAssets > oldTotalAssets) {
As the performance and protocol fees are only collected when the report function is called, theses fees will never be collected.
Impact
High. There's a severe disruption of protocol functionality or availability. Also a loss of funds for the protocol as the protocol fees are not retrieved as intended when the report function is called.
Likehood
High. The function will always not work as intended.
Tools Used
Manual
Recommendations
Add a claim and swap lines to the _harvestAndReport like the arb strategy.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.