Alchemix Transmuter

Alchemix

DeFiFoundrySolidity

16,653 OP

View results

Previous Next

Submission Details

Severity: medium

Invalid

The problem of duplicate statistics in the calculation of synthetic asset and underlying asset balances

wttt

Summary

The problem of duplicate statistics in the calculation of synthetic asset and underlying asset balances

Vulnerability Details

https://github.com/Cyfrin/2024-12-alchemix/blob/82798f4891e41959eef866bd1d4cb44fc1e26439/src/StrategyOp.sol#L135-L137

https://github.com/Cyfrin/2024-12-alchemix/blob/82798f4891e41959eef866bd1d4cb44fc1e26439/src/StrategyMainnet.sol#L146-L148

Assumptions

Asset Definition
• aLETH (synthetic asset): can be converted to WETH through transmuter.
• WETH (underlying asset): the target asset of aLETH.
System Status
• The current contract address has the following assets:
• aLETH directly held: 100.
• WETH directly held: 50.
• Transmuter shows:
• Unfinished aLETH: 80 (referring to the part submitted to transmuter and waiting for redemption).

Current balanceDeployed function:

function balanceDeployed() public view returns (uint256) {

return transmuter.getUnexchangedBalance(address(this)) +

underlying.balanceOf(address(this)) +

asset.balanceOf(address(this));

}

Execution logic:
• transmuter.getUnexchangedBalance(address(this)) returns the unexchanged aLETH: 80.
• underlying.balanceOf(address(this)) returns the held WETH: 50.
• asset.balanceOf(address(this)) returns the directly held aLETH: 100.

Calculation result:
Total asset balance = 80 (unexchanged aLETH) + 50 (WETH) + 100 (directly held aLETH) = 230.

Actual Asset Analysis

The 80 returned by transmuter.getUnexchangedBalance is already included in the directly held aLETH (100).
• These 80 aLETH are being exchanged, but they still belong to the directly held assets.
Therefore, part of the calculation of transmuter.getUnexchangedBalance and asset.balanceOf duplicates 80 aLETH.

Actual Total Assets:
• Directly held WETH: 50.
• Directly held aLETH: 100.

The total assets should be 50 + 100 = 150, not 230.

Impact

If transmuter.getUnexchangedBalance has already calculated the aLETH being exchanged, we should not add the aLETH in asset.balanceOf separately. Instead, we should only consider the WETH and aLETH directly held to avoid duplicate counting.

Tools Used

Manual review

Recommendations

To avoid duplicate counting, you can adjust the logic to ensure that getUnexchangedBalance and asset.balanceOf are not counted repeatedly:

function balanceDeployed() public view returns (uint256) {

uint256 underlyingBalance = underlying.balanceOf(address(this));

uint256 directAssetBalance = asset.balanceOf(address(this));

return underlyingBalance + directAssetBalance;

}

Updates

Lead Judging Commences

inallhonesty Lead Judge

8 months ago

Appeal created

inallhonesty Lead Judge 8 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

16,653 OP

nSLOC

253

66 OP / LOC

High Medium

15,800

Low

853

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.