Submission Details
Severity:
The underlying token is locked at the `StrategyMainnet` contract
Summary
The underlying tokens which could appear at the StrategyMainnet balance can't be withdrawn, i.e. locked at the contract permanently.
Vulnerability Details
The claimAndSwap function swaps exactly _amountClaim and ignores the contract balance.
function claimAndSwap(
>> uint256 _amountClaim,
uint256 _minOut,
uint256 _routeNumber
) external onlyKeepers {
transmuter.claim(_amountClaim, address(this));
uint256 balBefore = asset.balanceOf(address(this));
require(_minOut > _amountClaim, "minOut too low");
router.exchange(
routes[_routeNumber],
swapParams[_routeNumber],
>> _amountClaim,
_minOut,
pools[_routeNumber],
address(this)
);
uint256 balAfter = asset.balanceOf(address(this));
require((balAfter - balBefore) >= _minOut, "Slippage too high");
transmuter.deposit(asset.balanceOf(address(this)), address(this));
}
Impact
Asset locking/losses.
Tools used
Manual Review
Recommendations
Consider swapping the contract's underlying.balanceOf as in other strategies.
Updates
Appeal created
inallhonesty 10 months ago
Submission Judgement Published Assigned finding tags:
Dormant WETH in the contract will never be swapped back to alETH
0xkann
10 months ago
inallhonesty
10 months ago
inallhonesty 10 months ago
Submission Judgement Published Assigned finding tags:
Dormant WETH is not properly treated
Prize pool breakdown
Total prize
16,653 OP
nSLOC
25366 OP / LOC
15,800
853
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.