Alchemix Transmuter

Alchemix

DeFiFoundrySolidity

16,653 OP

View results

Previous Next

Submission Details

Severity: medium

Valid

Incorrect Asset Accounting in `StrategyMainnet::_harvestAndReport()` Leads to Share Price Undervaluation

0xmaxi

Summary

Incorrect Asset Accounting in _harvestAndReport() Leads to Share Price Undervaluation

Vulnerability Details

In the _harvestAndReport() function, claimable WETH from the transmuter is not included in the total assets calculation, despite being an asset owned by the strategy. The function checks for claimable amounts but neither claims them nor includes them in the final accounting.

Impact

function harvestAndReport()

internal

override

returns (uint256 totalAssets)

{

uint256 claimable = transmuter.getClaimableBalance(address(this));

if (claimable > 0) {

// transmuter.claim(claimable, address(this)); // Claim is commented out

}

uint256 unexchanged = transmuter.getUnexchangedBalance(address(this));

uint256 underlyingBalance = underlying.balanceOf(address(this));

// claimable is not included in final calculation

totalAssets = unexchanged + asset.balanceOf(address(this)) + underlyingBalance;

}

This accounting error leads to:

Undervaluation of the strategy's total assets
Incorrect share price calculations
Users receiving fewer shares than they should when depositing
Users receiving more assets than they should when withdrawing

This creates an arbitrage opportunity where users could:

Observe large claimable balances
Withdraw their shares at an undervalued rate
Call claimAndSwap() to realize the uncounted value
Re-deposit at the lower share price

Tools Used

Manual Review

Recommendations

Either:

Include claimable assets in total calculation:
solTotalAssets = unexchanged + asset.balanceOf(address(this)) + underlyingBalance + claimable;

Actually claim the WETH during harvest (preferred approach as it also allows compounding):

Updates

Appeal created

inallhonesty Lead Judge 8 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Incorrect accounting in `_harvestAndReport` claimable should be included

Prize pool breakdown

Total prize

16,653 OP

nSLOC

253

66 OP / LOC

High Medium

15,800

Low

853

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.