Alchemix Transmuter

Summary

The strategy lacks a mechanism to claim and swap funds when there is no depeg event or profitable swap, which could result in claimable funds being permanently locked in the transmuter contract. This impacts the strategy's ability to realize yields and could lead to loss of potential earnings for users. Because larger orders incur more slippage as the locked amount grows it will make it increasingly more difficult to make profitable swaps. Meaning at a certain point small depegs wont be enough to access the locked funds.

Vulnerability Details

In the StrategyMainnet contract, the claiming and swapping mechanism is designed around depeg events:

The issue arises because:

1. The strategy accumulates claimable WETH in the transmuter contract over time

2. The claimAndSwap function requires _minOut > _amountClaim which is only possible during a depeg event

3. The _harvestAndReport function shows claimable balances but doesn't provide a mechanism to claim them:

This issue is separate from just having unfinished todo's in the code, or commented out code. There a a variety of ways to implement a claiming mechanism that will allow users to claim and swap funds without a depeg event, and pointing to the todo's and commented out code is apart of the tokenized strategy design and not all commented out code needs to be implemented. This is a fundamental flaw in the design of the strategy that will cause claimable funds to be permanently locked in the transmuter contract unless a depeg event occurs.

Impact

Users suffer yield loss as claimable rewards remain locked in the transmuter contract indefinitely unless a depeg event occurs. This directly impacts the strategy's ability to generate returns for its users.

Tools Used

Manual Review

Recommendations

Implement a mechanism to claim and swap funds without requiring a depeg event. This can easily be done in harvest or in a separate function.