Alchemix Transmuter

Alchemix

DeFiFoundrySolidity

16,653 OP

View results

Previous Next

Submission Details

Severity: medium

Invalid

The _harvestAndReport function lacks claim and swap logic, limiting profit growth

508110516

Summary

The _harvestAndReport() function detects when claimable WETH is available (claimable > 0) but never actually executes transmuter.claim(). It also omits the optional _swapUnderlyingToAsset call for any WETH held by the strategy. Because of this, the strategy neither redeems potential earnings nor reconverts idle WETH into alETH. As a result, unclaimed or idle funds remain unused, limiting profit growth.

Vulnerability Details

Location:

https://github.com/Cyfrin/2024-12-alchemix/blob/82798f4891e41959eef866bd1d4cb44fc1e26439/src/StrategyOp.sol#L161

https://github.com/Cyfrin/2024-12-alchemix/blob/82798f4891e41959eef866bd1d4cb44fc1e26439/src/StrategyArb.sol#L148

https://github.com/Cyfrin/2024-12-alchemix/blob/82798f4891e41959eef866bd1d4cb44fc1e26439/src/StrategyMainnet.sol#L172

function _harvestAndReport() internal override returns (uint256 _totalAssets) {

uint256 claimable = transmuter.getClaimableBalance(address(this));

if (claimable > 0) {

// transmuter.claim(claimable, address(this));

}

// NOTE : we can do this in harvest or can do seperately in tend

// if (underlying.balanceOf(address(this)) > 0) {

// _swapUnderlyingToAsset(underlying.balanceOf(address(this)));

// }

uint256 unexchanged = transmuter.getUnexchangedBalance(address(this));

// NOTE : possible some dormant WETH that isn't swapped yet

uint256 underlyingBalance = underlying.balanceOf(address(this));

_totalAssets = unexchanged + asset.balanceOf(address(this)) + underlyingBalance;

}

Logic miss: The code suggests the possibility of transmuter.claim() but is commented out, leaving any claimable WETH untouched. Idle WETH remains unswapped, foregoing potential profit from redepositing alETH into Transmuter.

Impact

1. Unrealized earnings

The strategy misses out on reclaiming or swapping assets that could generate additional profit.

2. Inaccurate profit/loss reporting

Because these steps are skipped, _harvestAndReport could not reflect the true financial performance of the strategy.

3. User returns decrease

By not reclaiming or re-investing WETH, users’ overall APY is negatively impacted.

Tools Used

Manual Review

Recommendations

Uncomment or implement logic to claim(claimable, address(this)) whenever claimable > 0, ensuring that pending WETH is moved to the strategy, and consider swapping WETH back to alETH if it fits the strategy’s profit generation approach, then redeposit to the Transmuter(like the claimAndSwap function).

Updates

Appeal created

inallhonesty Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Design choice

Prize pool breakdown

Total prize

16,653 OP

nSLOC

253

66 OP / LOC

High Medium

15,800

Low

853

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.