Alchemix Transmuter

Alchemix

DeFiFoundrySolidity

16,653 OP

View results

Previous Next

Submission Details

Severity: medium

Invalid

Missing Yield Return Could Result in Loss of Funds for Depositers

bladesec

Title

Missing Yield Return Could Result in Loss of Funds for Depositers

Summary

During the claimAndSwap process, the claimAndSwap function fails to account for the accumulated yield as additional profit for depositors. This oversight results in significant losses for honest depositors, undermining trust and fairness in the system.

Vulnerability Details

According to Transmuter documentation:

2. Accumulation & Exchange: Over time the underlying asset is accumulated in the Transmuter via yield harvest, self-liquidations, and loan repayments. The asset is proportionally allocated to users based on their alAsset deposit. For example, the Transmuter will gradually allocate DAI based on how much alUSD has been deposited.

However, looking through claimAndSwap function, it doesn't process any extra profit generated by accumulated yield.

function claimAndSwap(uint256 _amountClaim, uint256 _minOut, IVeloRouter.route[] calldata _path ) external onlyKeepers {

transmuter.claim(_amountClaim, address(this));

uint256 balBefore = asset.balanceOf(address(this));

_swapUnderlyingToAsset(_amountClaim, _minOut, _path);

uint256 balAfter = asset.balanceOf(address(this));

require((balAfter - balBefore) >= _minOut, "Slippage too high");

transmuter.deposit(asset.balanceOf(address(this)), address(this));

}

It reveals a critical flaw in the claimAndSwap function, which fails to update _totalAssets when yields are accumulated. As a result, asset and share calculations become inaccurate.
Further analysis uncovers the incomplete implementation of the _harvestAndReport function, which should accurately report the total assets during strategy execution but falls short of this responsibility.

Impact

Tools Used

Manual Review

Recommendations

Update _harvestAndReport function to correctly reflect the earned yields as profit and included within total assets.

Updates

Lead Judging Commences

inallhonesty Lead Judge

8 months ago

Appeal created

inallhonesty Lead Judge 8 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

16,653 OP

nSLOC

253

66 OP / LOC

High Medium

15,800

Low

853

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.