Alchemix Transmuter

Summary

In StrategyMainnet, StrategyArb, and StrategyOp, the claimAndSwap function immediately deposits all received alETH (including the premium/profit) back into the transmuter, preventing the strategy from recording any profit. This leads to inaccurate profit reporting.

Vulnerability Details

The claimAndSwap function claims WETH, swaps it for alETH at a premium, but then deposits all received alETH back into the transmuter:

The issue arises because:

1. The strategy swaps WETH for alETH at a premium (profit)

2. Instead of keeping the premium as profit, all alETH is deposited into the transmuter

3. And, during withdrawal the TokenizedStrategy.solaccount for idle by checking the balance of asset which means any directly transferred profit will be seen as idle cash.

   uint256 idle = _asset.balanceOf(address(this));

   uint256 loss;

   // Check if we need to withdraw funds.

   if (idle < assets) {

   // Tell Strategy to free what we need.

   unchecked {

   IBaseStrategy(address(this)).freeFunds(assets - idle);

   }

   ​

   // Return the actual amount withdrawn. Adjust for potential under withdraws.

   idle = _asset.balanceOf(address(this));

   ​

   // If we didn't get enough out then we have a loss.

   if (idle < assets) {

   unchecked {

   loss = assets - idle;

   }

   // If a non-default max loss parameter was set.

   if (maxLoss < MAX_BPS) {

   // Make sure we are within the acceptable range.

   require(

   loss <= (assets * maxLoss) / MAX_BPS,

   "too much loss"

   );

   }

   // Lower the amount to be withdrawn.

   assets = idle;

   }

   }

4. When _harvestAndReport() is called, it only sees:

   • Unexchanged balance in transmuter

   • Current alETH balance (which is 0 since all was deposited)

   • Underlying balance

Impact

Loss of Profit for strategy users and protocol

Impact = High

Likelihood = High

Tools Used

Manual

Recommendations

Modify claimAndSwap to retain the premium and exclude totalProfitsfrom availableWithdrawLimit()