Submission Details
Severity:
Deposit all funds to the Transmiter
Summary
The claimAndSwap function deposits the entire contract balance of the asset back to the transmuter after the swap operation. This logic fails to account for pre-existing balances in the contract, potentially resulting in over-depositing assets. The deposit should be restricted to only the newly acquired balance (balAfter - balBefore), rather than the entire contract balance.
Vulnerability Details
In the claimAndSwap function, the following line sends the entire balance of the asset held by the contract to the transmuter.
transmuter.deposit(asset.balanceOf(address(this)), address(this));
However, the contract might have existing balances of the asset before executing claimAndSwap. This results in over-depositing the asset, including funds unrelated to the current claim-and-swap operation.
Impact
Over-Deposit of Funds: Unrelated balances of the asset in the contract will be unnecessarily sent to the transmuter. This can lead to:
Unintended depletion of funds.
Disruption in other contract operations relying on the asset balance.
Tools Used
Manual Review
Recommendations
Do calculation balAfter - balBefore and send only the balance we got from profiting from the swap betwen WETH to alETH
Prize pool breakdown
Total prize
16,653 OP
nSLOC
25366 OP / LOC
15,800
853
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.