Alchemix Transmuter
Alchemix
DeFiFoundrySolidity
16,653 OP
View results
Previous Next
Submission Details
Severity: high
Invalid

Unaccounted yield risks loss for users

mbushbush

Code Snippets

https://github.com/Cyfrin/2024-12-alchemix/blob/82798f4891e41959eef866bd1d4cb44fc1e26439/src/StrategyOp.sol#L79

Summary

The claimAndSwap process overlooks the inclusion of accumulated yield as part of the profits owed to depositors. This results in depositors receiving less than their fair share, causing financial discrepancies and damaging the integrity of the system.

Vulnerability Details

This comes with claimAndSwap function which neglects profit from yield generation. Missing the logic to update _totalAssets with yields and it causes misconception throughout strategy operations. Following code lines show the implementation:

function claimAndSwap(uint256 _amountClaim, uint256 _minOut, IVeloRouter.route[] calldata _path ) external onlyKeepers {
transmuter.claim(_amountClaim, address(this));
uint256 balBefore = asset.balanceOf(address(this));
_swapUnderlyingToAsset(_amountClaim, _minOut, _path);
uint256 balAfter = asset.balanceOf(address(this));
require((balAfter - balBefore) >= _minOut, "Slippage too high");
transmuter.deposit(asset.balanceOf(address(this)), address(this));
}

Impact

Tools Used

Manual Review

Recommendations

Update claimAndSwap function properly to reflect generated yields by depositing into transmuter.

Updates

Lead Judging Commences

inallhonesty Lead Judge
8 months ago

Appeal created

inallhonesty Lead Judge 8 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.