Alchemix Transmuter

Alchemix

DeFiFoundrySolidity

16,653 OP

View results

Previous Next

Submission Details

Severity: medium

Valid

Incorrect Accounting in `_harvestAndReport` due to 1:1 Peg Assumption Between `WETH` and `alETH`

0xshoonya

Summary

The _harvestAndReport function incorrectly assumes a 1:1 peg between WETH and alETH when calculating _totalAssets, leading to inaccurate value reporting if the peg is broken or exchange rates deviate. This could result in mismanagement of strategy funds and protocol accounting errors.

Vulnerability Details

The _harvestAndReport function in the StrategyArb.sol contract aggregates balances of alETH and WETH directly into _totalAssets without accounting for their exchange rate. This is problematic as WETH and alETH are distinct tokens that may not always maintain a 1:1 value ratio.

function _harvestAndReport()

internal

override

returns (uint256 _totalAssets)

{

uint256 claimable = transmuter.getClaimableBalance(address(this));

if (claimable > 0) {

// transmuter.claim(claimable, address(this));

}

uint256 unexchanged = transmuter.getUnexchangedBalance(address(this));

uint256 underlyingBalance = underlying.balanceOf(address(this));

@> _totalAssets = unexchanged + asset.balanceOf(address(this)) + underlyingBalance;

}

The calculation of _totalAssets in this line:

_totalAssets = unexchanged

+ asset.balanceOf(address(this))

+ underlyingBalance;

aggregates:

unexchanged (alETH held in the transmuter),
asset.balanceOf(address(this)) (loose alETH), and
underlyingBalance (WETH balance).

The function assumes a 1:1 value ratio between WETH and alETH, violating the intended purpose of _totalAssets, as described in its comment:

_totalAssets provides a trusted and accurate account of the total amount of asset the strategy currently holds, including idle funds.

A divergence in the exchange rate between WETH and alETH (e.g., due to market conditions or depegging) would lead to an inaccurate _totalAssets value.

Impact

If WETH and alETH are not pegged 1:1 (e.g., due to depegging of alETH), the total asset value will be incorrectly reported. This can lead to overestimating the strategy's value and ultimately wrong accountong in the protocol.

Tools Used

Manual Review

Recommendations

Fetch the current exchange rate for WETH to alETH using an oracle or price data from the transmuter. Use this rate to convert WETH balance into alETH-equivalent value before adding them together.

Updates

Appeal created

inallhonesty Lead Judge 8 months ago

Submission Judgement Published

Validated

Assigned finding tags:

balanceDeployed() and _harvestAndReport() add WETH and alETH, but they have different prices

Prize pool breakdown

Total prize

16,653 OP

nSLOC

253

66 OP / LOC

High Medium

15,800

Low

853

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.