Alchemix Transmuter
Alchemix
DeFiFoundrySolidity
16,653 OP
View results
Previous Next
Submission Details
Severity: medium
Valid

The balanceDeployed function underestimates total holdings and ignores market price differences

508110516

Summary

The balanceDeployed() function in the strategy returns a sum of:

  1. Unexchanged alETH balance from transmuter.getUnexchangedBalance(address(this))

  2. The WETH balance in the strategy contract

  3. The alETH balance in the strategy contract

However, it does not include any claimable WETH in the Transmuter (i.e., unclaimed amounts that can still be withdrawn). Furthermore, it adds WETH and alETH numerically without accounting for their respective market prices. This can underestimate the strategy’s actual holdings and misrepresent its real value.

Vulnerability Details

Location:

https://github.com/Cyfrin/2024-12-alchemix/blob/82798f4891e41959eef866bd1d4cb44fc1e26439/src/StrategyMainnet.sol#L146

https://github.com/Cyfrin/2024-12-alchemix/blob/82798f4891e41959eef866bd1d4cb44fc1e26439/src/StrategyArb.sol#L122

https://github.com/Cyfrin/2024-12-alchemix/blob/82798f4891e41959eef866bd1d4cb44fc1e26439/src/StrategyOp.sol#L135

function balanceDeployed() public view returns (uint256) {
return transmuter.getUnexchangedBalance(address(this)) + underlying.balanceOf(address(this))
+ asset.balanceOf(address(this));
}

Exclusion of Claimable WETH: Any unclaimed WETH that can be withdrawn from Transmuter does not appear in the final total.

No Price Conversion: It assumes a 1:1 numeric sum of WETH and alETH, which often differ in real market price.

Impact

  1. Underreported assets: Users and protocol logic that rely on balanceDeployed() may see a lower-than-actual balance if the Transmuter holds available WETH.

  2. Misleading value calculation: Directly summing WETH and alETH disregards their price disparities. This can lead to misguided decisions about rebalancing or distribution of rewards.

Tools Used

Manual Review

Recommendations

  1. Include claimable WETH: Add transmuter.getClaimableBalance(address(this)) to the returned amount, so the function truly reflects the strategy’s total possible holdings.

  2. Incorporate price conversion: If the strategy aims to report real value, consider using a price oracle to convert WETH and alETH to a common unit.

  3. Clarify function purpose: If balanceDeployed() is only meant to show a raw numeric sum, update the comments to reflect it does not represent real market value or total claimable liquidity.

Updates

Appeal created

inallhonesty Lead Judge 10 months ago
Submission Judgement Published
Validated
Assigned finding tags:

balanceDeployed() and _harvestAndReport() add WETH and alETH, but they have different prices

balanceDeployed should include claimable

inallhonesty Lead Judge 10 months ago
Submission Judgement Published
Validated
Assigned finding tags:

balanceDeployed() and _harvestAndReport() add WETH and alETH, but they have different prices

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.