Alchemix Transmuter

Summary

The _harvestAndReport function incorrectly assumes a 1:1 peg between WETH and alETH when calculating _totalAssets, leading to inaccurate value reporting if the peg is broken or exchange rates deviate. This could result in mismanagement of strategy funds and protocol accounting errors.

Vulnerability Details

The _harvestAndReport function in the StrategyArb.sol contract aggregates balances of alETH and WETH directly into _totalAssets without accounting for their exchange rate. This is problematic as WETH and alETH are distinct tokens that may not always maintain a 1:1 value ratio.

The calculation of _totalAssets in this line:

aggregates:

• unexchanged (alETH held in the transmuter),

• asset.balanceOf(address(this)) (loose alETH), and

• underlyingBalance (WETH balance).

The function assumes a 1:1 value ratio between WETH and alETH, violating the intended purpose of _totalAssets, as described in its comment:

_totalAssets provides a trusted and accurate account of the total amount of asset the strategy currently holds, including idle funds.

A divergence in the exchange rate between WETH and alETH (e.g., due to market conditions or depegging) would lead to an inaccurate _totalAssets value.

Impact

If WETH and alETH are not pegged 1:1 (e.g., due to depegging of alETH), the total asset value will be incorrectly reported. This can lead to overestimating the strategy's value and ultimately wrong accountong in the protocol.

Tools Used

Manual Review

Recommendations

Fetch the current exchange rate for WETH to alETH using an oracle or price data from the transmuter. Use this rate to convert WETH balance into alETH-equivalent value before adding them together.