Alchemix Transmuter

Summary

The _harvestAndReport function is designed to calculate the total amount of asset held by the strategy, including idle funds and unexchanged balances. However, the calculation combines values in two different currencies: weth (underlying) and alETH (asset). Since weth and alETH are not always equal in value, this approach can produce inaccurate total asset evaluations, potentially leading to incorrect profit or loss assessments.

Vulnerability Details

• Impact: High (affects financial accuracy and decision-making)

• Likelihood: Medium (always occurs but depends on significant deviation in exchange rates)

• Risk Level: High

The current implementation of _harvestAndReport calculates _totalAssets as follows:

• unexchanged: The unexchanged balance in alETH (asset).

• underlyingBalance: The idle balance of weth held by the strategy.

• asset.balanceOf(address(this)): The balance of alETH (asset) held by the strategy.

Issue: underlyingBalance is denominated in weth, while unexchanged and asset.balanceOf(address(this)) are denominated in alETH. These two tokens are not always equivalent in value (e.g., 1.01 alETH = 1 weth at the time of writing). Directly summing them without converting to a common unit results in an inconsistent and inaccurate evaluation of _totalAssets.

Impact

Inaccurate evaluation of _totalAssets. _totalAssets will not accurately reflect the strategy’s holdings, leading to potential errors in profit or loss calculations and can affect decision-making by the protocol

Tools Used

Manual Review

Recommendations

To ensure consistent and accurate calculations, convert all components of _totalAssets into a single currency, such as alETH or weth, using a reliable price oracle or exchange rate.