Loss Due to Unclaimed Balances in `_harvestAndReport` Function
Summary
The _harvestAndReport function fails to claim the claimable balance from the transmuter, resulting in unclaimed funds not being included in the _totalAssets. This oversight can lead to inaccuracies in asset reporting and a potential loss of yield or utility, as the claimable balance remains idle.
This vulnerability exists in multiple places.
-> https://github.com/Cyfrin/2024-12-alchemix/blob/82798f4891e41959eef866bd1d4cb44fc1e26439/src/StrategyArb.sol#L148 .
->https://github.com/Cyfrin/2024-12-alchemix/blob/82798f4891e41959eef866bd1d4cb44fc1e26439/src/StrategyMainnet.sol#L172
->https://github.com/Cyfrin/2024-12-alchemix/blob/82798f4891e41959eef866bd1d4cb44fc1e26439/src/StrategyOp.sol#L161
Vulnerability Details
Unclaimed Balance:
-> The claimable balance retrieved from transmuter.getClaimableBalance(address(this)) is calculated but not claimed because the transmuter.claim call is commented out.
-> The claimable balance is neither added to the total assets nor utilized in further operations.
Impact on _totalAssets Calculation.
_totalAssets only accounts for:
unexchanged (balance in the transmuter not yet swapped).
underlyingBalance (current balance of underlying tokens in the contract).
asset.balanceOf(address(this)) (current balance of the main asset in the contract).
The unclaimed claimable balance is omitted, resulting in an understated _totalAssets.
Impact
HIGH
Likelihood
HIGH
Tools Used
manual analysis
Recommendations
Uncomment and Implement transmuter.claim.
Enhance _totalAssets Calculation
_totalAssets = unexchanged + asset.balanceOf(address(this)) + underlyingBalance + claimable;
Appeal created
Incorrect accounting in `_harvestAndReport` claimable should be included
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.