Alchemix Transmuter

Alchemix

DeFiFoundrySolidity

16,653 OP

View results

Previous Next

Submission Details

Severity: medium

Valid

Inconsistent Accounting in StrategyArb._harvestAndReport

0xnatachi

Summary

The StrategyArb contract's _harvestAndReport function contains a flaw in its accounting logic. It incorrectly calculates the total assets held by the strategy by not properly accounting for claimed underlying tokens (WETH) from the transmuter and failing to swap them to asset tokens (aLETH) before including them in the total. This inconsistency can lead to inaccurate reporting of strategy performance and creates potential avenues for manipulation.

Vulnerability Details

The _harvestAndReport function aims to calculate the total assets managed by the strategy. The current implementation performs the following steps:

Retrieves the claimable underlying balance from the transmuter using transmuter.getClaimableBalance(address(this)).
(Critically, the function currently comments out the actual claiming of the underlying tokens:
- // transmuter.claim(claimable, address(this));)*
Retrieves the unexchanged asset balance from the transmuter using transmuter.getUnexchangedBalance(address(this)).
Retrieves the contract's current underlying balance using underlying.balanceOf(address(this)).
Calculates the total assets: _totalAssets = unexchanged + asset.balanceOf(address(this)) + underlyingBalance;.

The core issue is that the claimable underlying is not actually claimed before being included in the _totalAssets calculation. To also add, the underlying is not swapped to the asset before being added to the total assets. This leads to this problem:

Inconsistent Asset Valuation and Missing Swap: The function adds unexchanged aLETH, the contract's aLETH balance, and the contract's WETH balance directly. This is fundamentally flawed. To calculate total assets correctly, all assets must be valued in the same unit. The function should claim the underlying, swap it to asset, and then calculate the total in asset units. The failure to perform this swap and the direct addition of WETH and aLETH creates a significant accounting error.

Impact

Inaccurate Reporting: As previously stated, this leads to misleading performance metrics.

Potential for Future Misuse: While not directly exploitable for value extraction now, the inaccurate _totalAssets creates a risk for future misuse. If the contract's logic is modified to use _totalAssets for any on-chain calculations, the vulnerability could then be exploited.

Tools Used

Manual review

Recommendations

The claiming and swapping of underlying must be performed atomically within the _harvestAndReport function to prevent state inconsistencies.

Consistent Asset Valuation: All assets must be valued in the same unit (asset) when calculating _totalAssets.

Updates

Appeal created

inallhonesty Lead Judge 10 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Incorrect accounting in `_harvestAndReport` claimable should be included

Prize pool breakdown

Total prize

16,653 OP

nSLOC

253

66 OP / LOC

High Medium

15,800

Low

853

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.