Alchemix Transmuter

Summary

The _harvestAndReport function is designed to calculate the total assets held by the strategy, but the current implementation does not include necessary steps for accurately calculating all asset balances. Specifically, it overlooks essential actions like claiming rewards and properly redeploying idle funds, resulting in an incomplete view of the strategy's total assets.

Vulnerability Detail

The function fails to properly accumulate the total assets for the following reasons:

1. Reward Claiming Missing: The logic for claiming rewards from the transmuter is absent, leading to unclaimed rewards not being included in the total asset calculation.

2. No Idle Fund Redeployment: The function does not check for or redeploy any idle funds back into the yield-generating system, resulting in assets remaining idle.

3. Incomplete Asset Aggregation: The current calculation only adds the unexchanged balance and other asset balances, which ignores crucial sources of total asset value, such as pending rewards.

Impact

• Incorrect Asset Reporting: The strategy's total assets are misrepresented, which can lead to wrong assumptions for users or external systems interacting with the contract.

• Underutilized Capital: Idle funds and unclaimed rewards remain unoptimized, leading to lost potential returns.

• Reduced Strategy Performance: The lack of accurate asset calculation and reward claiming can result in diminished overall returns and strategy inefficiency.

Tool used

Manual Code Review

Recommendation

1. Implement Reward Claiming: Include the transmuter.claim(claimable, address(this)) call to ensure all available rewards are claimed.

2. Redeploy Idle Assets: Check for idle funds and redeploy them to active yield-generating sources to maximize returns.

3. Revise Total Asset Calculation: Update the calculation to include all relevant balances, consolidate asset calculation into balanceDeployed and call this function from _harvestAndReport to avoid code duplication.

4. Ensure Accurate Reporting: Make sure the _harvestAndReport function accurately reports total assets by including claimed rewards and deployed balances.