Missing Shutdown Check in `_harvestAndReport` Function
Summary
The _harvestAndReport function in StrategyArb.sol lacks a check for the strategy's shutdown status using TokenizedStrategy.isShutdown(). This omission could lead to funds being incorrectly managed after the strategy has been shut down.
Vulnerability Details
The _harvestAndReport function is responsible for:
Checking for claimable balances from the transmuter
Managing underlying assets (WETH)
Calculating total assets including unexchanged balances
However, it does not check if the strategy is shut down before performing these operations. The code comment acknowledges this capability:
This can still be called post a shutdown, a strategist can check
TokenizedStrategy.isShutdown()to decide if funds should be
redeployed or simply realize any profits/losses.
But the actual implementation does not follow this recommendation.
This means that even when the strategy is shut down:
The function may still attempt to claim rewards
Could potentially redeploy funds
May not properly realize profits/losses as intended during shutdown
Impact
During shutdown, the strategy should focus on realizing profits/losses rather than redeploying funds, but without this check, it may continue normal operations.
Tools Used
Manual Review
Recommendations
Modify the _harvestAndReport function to include a shutdown check and handle funds appropriately
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.