Alchemix Transmuter

Summary

The _harvestAndReport function in the strategy contract may inaccurately report total assets under certain conditions. Specifically, when claimable assets are identified but not processed due to commented-out logic, _totalAssets does not reflect newly claimable balances. This oversight can lead to incorrect user share calculations, financial discrepancies, and potential exploit scenarios. Addressing this vulnerability requires finalizing the harvesting logic to ensure accurate asset accounting.

Root Cause

The function calculates _totalAssets by summing the unexchanged balance, the contract’s current asset balance, and the underlying balance. However, if claimable > 0, the function does not process the claimable assets, leaving _totalAssets incomplete and inconsistent with actual holdings.

Vulnerable Code

Why it Matters

• Incomplete Accounting: By not processing claimable balances, the function underestimates the total assets held by the contract.

• Incorrect Share Calculations: Users’ shares are misaligned with actual holdings, creating opportunities for exploitation or unintentional financial discrepancies.

• Operational Risks: Inaccurate asset reporting complicates strategy performance analysis and fund management.

Attack Scenarios

Scenario 1: Share Manipulation

1. Setup: An attacker observes that claimable assets are not included in _totalAssets.

2. Execution: The attacker deposits or withdraws based on inaccurate share calculations, exploiting the discrepancy for financial gain.

3. Impact: Over time, this manipulation leads to unfair share distributions, harming honest depositors.

Scenario 2: Strategist Exploitation

1. Setup: A strategist intentionally leaves the claimable logic unprocessed.

2. Execution: They siphon funds through the claim function without these being reflected in _totalAssets.

3. Impact: This creates financial imbalances and damages protocol integrity.

Scenario 3: Financial Discrepancies

1. Setup: The mismatch between actual and reported assets accumulates over multiple harvest cycles.

2. Execution: Withdrawals or rebalancing operations are based on inaccurate _totalAssets.

3. Impact: Depositors are impacted by incorrect payouts or realized losses during liquidation events.

Impact

1. Financial Impact: Depositors may lose funds due to unfair share distributions or unprocessed claimable assets.

2. Operational Risk: Protocol performance and trust erode due to inaccurate reporting.

3. Strategist Exploitation: Malicious or negligent strategists can exploit incomplete logic for personal gain.

Mitigation Recommendations

1. Finalize Harvest Logic

Ensure that claimable assets are processed before calculating _totalAssets:

2. Include Claimed Assets in _totalAssets

Update _totalAssets to reflect claimable balances:

Proof of Concept (PoC)

Steps to Reproduce:

1. Deploy the contract with mock implementations of transmuter and asset.

2. Simulate a scenario where claimable > 0.

3. Observe that _totalAssets does not include the claimable balance.

Expected Fix Behavior:

1. Apply the recommended logic to process claimable assets.

2. Verify that _totalAssets includes all balances (unexchanged, current, underlying, and claimable).