Alchemix Transmuter
Alchemix
DeFiFoundrySolidity
16,653 OP
View results
Previous Next
Submission Details
Severity: medium
Invalid

_harvestAndReport does not do its intended functionality

peanuts

Summary

According to the docs,

_harvestAndReport() should do any needed harvesting, rewards selling, accrual, redepositing etc. to get the most accurate view of current assets.

The current functionality doesn't do any of those.

Vulnerability Details

This is the _harvestAndReport() function. It simply returns totalAsset. The claim() functionality is commented out.

function _harvestAndReport()
internal
override
returns (uint256 _totalAssets)
{
uint256 claimable = transmuter.getClaimableBalance(address(this));
if (claimable > 0) {
> // transmuter.claim(claimable, address(this));
}
// NOTE : we can do this in harvest or can do seperately in tend
// if (underlying.balanceOf(address(this)) > 0) {
// _swapUnderlyingToAsset(underlying.balanceOf(address(this)));
// }
uint256 unexchanged = transmuter.getUnexchangedBalance(address(this));
// NOTE : possible some dormant WETH that isn't swapped yet (although we can restrict to only claim & swap in one tx)
uint256 underlyingBalance = underlying.balanceOf(address(this));
_totalAssets = unexchanged + asset.balanceOf(address(this)) + underlyingBalance;
}

Ideally, _harvestAndReport() should claim the WETH tokens and swap them to ALETH, then report the balance of WETH and ALETH in the contract.

Impact

_harvestAndReport() not built according to docs.

Tools Used

Manual Review

Recommendations

Ensure _harvestAndReport() is not simply a getter function that returns a variable, but does something as well.

Updates

Appeal created

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.