Alchemix Transmuter
Alchemix
DeFiFoundrySolidity
16,653 OP
View results
Previous Next
Submission Details
Severity: medium
Valid

Incorrect Balance Deployed Calculation Leading to Profit Manipulation

BugPull

Summary

The balanceDeployed() function incorrectly includes underlying WETH tokens at face value and fails to account for exchanged balances, causing issues for off-chain calculations

Vulnerability Details

In balanceDeployed():

function balanceDeployed() public view returns (uint256) {
return transmuter.getUnexchangedBalance(address(this)) + underlying.balanceOf(address(this)) + asset.balanceOf(address(this));
}

two issues:

  1. WETH is counted at face value when it trades at a premium to alETH

  2. Exchanged balance (claimable WETH) is not included in calculation

The function should include:

  • Unexchanged alETH balance

  • Current alETH balance

  • Exchanged balance (claimable)

Impact

Low - This vulnerability affects core accounting:

Since this function is not called any where and used in off-chain logic only

Tools Used

  • Manual code review

  • Cross-reference with Alchemix protocol documentation

Recommendations

  1. Include exchanged balance in calculation:

function balanceDeployed() public view returns (uint256) {
return transmuter.getUnexchangedBalance(address(this)) +
asset.balanceOf(address(this)) +
transmuter.getClaimableBalance(address(this));
}

  1. Remove direct WETH accounting

Updates

Appeal created

inallhonesty Lead Judge 8 months ago
Submission Judgement Published
Validated
Assigned finding tags:

balanceDeployed() and _harvestAndReport() add WETH and alETH, but they have different prices

balanceDeployed should include claimable

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

balanceDeployed() and _harvestAndReport() add WETH and alETH, but they have different prices

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.