Summary

The claimAndSwap function in its current implementation suffers from issues related to accuracy in asset deposits and insufficient tracking of asset movements, leading to challenges in auditing and transparency in the contracts of StrategyMainnet.sol, StrategyArb.solandStrategyOp.sol. The function claims WETH, swaps it for alETH, and deposits the entire alETH balance into a transmuter contract. However, it deposits both the newly acquired alETH and the previously held balance, resulting in inaccurate fund tracking.

Vulnerability Details

src/StrategyArb.sol:claimAndSwap#L77
src/StrategyMainnet.sol:claimAndSwap#L112
:src/StrategyOp.sol:#L88

The function deposits the entire alETH balance into the transmuter contract, including both the pre-existing and newly acquired assets. This can lead to incorrect fund deposits, as the previously held assets may be unintentionally included in the deposit, affecting the accuracy of the operation.

The current implementation makes it difficult to track the specific impact of each operation. By depositing the entire alETH balance, the contract does not distinguish between previously held funds and newly acquired assets. This complicates tracking the actual effect of the claim and swap operations, making it harder to calculate the real profit or loss and less transparent for auditors.

Without precise tracking of newly acquired assets, it is difficult to distinguish between funds from previous transactions and those from the current operation. This can result in misleading calculations of the contract’s profitability and complicates auditing efforts.

Impact

1. Inaccurate Financial Reporting:
   By depositing the entire alETH balance, the contract risks including funds that were not acquired through the current operation. This impacts the accuracy of financial reports, making it harder to understand the actual impact of the claim and swap actions.

2. Potential for Mismanagement of Funds:
   Depositing previously held assets along with newly acquired ones could lead to mismanagement of funds, especially if the previously acquired assets were intended to be used differently.

3. Challenges in Auditing:
   The lack of clear distinction between new and pre-existing assets complicates the auditing process. Auditors would find it difficult to verify the accuracy of transactions and understand the flow of assets, potentially leading to overlooked errors and misreporting.

Tools Used

Manual Review

Recommendations

Before performing any operations, record the initial alETH balance. This will allow the contract to accurately compute the newly acquired assets and ensure only these new assets are deposited into the transmuter contract.

Modify the function to deposit only the newly acquired alETH, instead of depositing the entire balance. This can be done by calculating the difference between the final and initial asset balance.