Alchemix Transmuter

Alchemix

DeFiFoundrySolidity

16,653 OP

View results

Previous Next

Submission Details

Severity: medium

Valid

_harvestAndReport not implemented correctly

0xgondar

Summary

_harvestAndReport function in strategies is not implemented correctly, which will lead to wrong accounting.

Details

Yearn docs state [here] (https://docs.yearn.fi/developers/v3/strategy_writing_guide#_harvestandreport) that ⇒ _totalAssets: A trusted and accurate account for the total amount of 'asset' the strategy currently holds including loose funds.

But the _harvestAndReport function, in its current implementation, does not follow this. Let’s look at the function in StrategyMainnet.sol contract:

function _harvestAndReport() internal override returns (uint256 _totalAssets) {

uint256 claimable = transmuter.getClaimableBalance(address(this));

if (claimable > 0) {

// transmuter.claim(claimable, address(this));

}

// NOTE : we can do this in harvest or can do seperately in tend

// if (underlying.balanceOf(address(this)) > 0) {

// _swapUnderlyingToAsset(underlying.balanceOf(address(this)));

// }

uint256 unexchanged = transmuter.getUnexchangedBalance(address(this));

// NOTE : possible some dormant WETH that isn't swapped yet (although we can restrict to only claim & swap in one tx)

uint256 underlyingBalance = underlying.balanceOf(address(this));

_totalAssets = unexchanged + asset.balanceOf(address(this)) + underlyingBalance;

}

The function above fails in the following:

Actually claim claimable rewards
Swap underlying (WETH) to the asset (ALETH)
Include claimable amount in total assets calculation
Convert all balances to a consistent denomination (underlying or asset)

Some insights: You see that there is a note that suggests the swapping between underlying to asset can be done here, or in tending. But it is done in neither: First, it’s not done here, second, _tend is never utilized.

Also, according to the Yearn tokenized strategies docs, underlyingBalance here is not related to the _totalAssets. It should only be denominated in the asset, not in the underlying in this protocol.

The same issue persists in other strategies: StrategyArb.sol and StrategyOp.sol

Impact

This function will not work correctly. The accounting will be wrong.

Recommendation

Follow the yearn docs here strictly and make sure _totalAssets returns the correct value.

Updates

Appeal created

inallhonesty Lead Judge 5 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Incorrect accounting in `_harvestAndReport` claimable should be included

inallhonesty Lead Judge 5 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Incorrect accounting in `_harvestAndReport` claimable should be included

Prize pool breakdown

Total prize

16,653 OP

nSLOC

253

66 OP / LOC

High Medium

15,800

Low

853

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.