Alchemix Transmuter
Alchemix
DeFiFoundrySolidity
16,653 OP
View results
Previous Next
Submission Details
Severity: medium
Valid

Claimable Balance Ignored in _totalAssets Calculation

oluwaseyisekoni

Summary

The _harvestAndReport function aims to calculate the total assets managed by the contract by summing up various balances. However, the claimable variable, which represents the claimable balance from the transmuter contract, is retrieved but not included in the _totalAssets calculation. This oversight can lead to an underreporting of total assets, potentially causing mismanagement of funds or inaccurate financial reporting.

Vulnerability Details

StrategyOp.sol

function _harvestAndReport()
internal
override
returns (uint256 _totalAssets)
{
@> uint256 claimable = transmuter.getClaimableBalance(address(this));
uint256 unexchanged = transmuter.getUnexchangedBalance(address(this));
// NOTE : possible some dormant WETH that isn't swapped yet
uint256 underlyingBalance = underlying.balanceOf(address(this));
@> _totalAssets = unexchanged + asset.balanceOf(address(this)) + underlyingBalance;
}

** Impact**: Medium (affects asset reporting and management)

  • Likelihood: High (always occurs when claimable balances exist)

  • Risk Level: Medium

Impact

Excluding the claimable balance from _totalAssets can lead to an incorrect representation of the contract’s holdings.

Tools Used

Manual Review

Recommendations

claimable balance should be included in _totalAsset

Updates

Appeal created

inallhonesty Lead Judge 8 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Incorrect accounting in `_harvestAndReport` claimable should be included

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.