Alchemix Transmuter
Alchemix
DeFiFoundrySolidity
16,653 OP
View results
Previous Next
Submission Details
Severity: low
Invalid

`balanceDeployed` function does not provide the correct deployed balance

zhuying

Summary

balanceDeployed function does not provide the correct deployed balance.

Vulnerability Details

The balanceDeployed function is as follows:

function balanceDeployed() public view returns (uint256) {
return transmuter.getUnexchangedBalance(address(this)) + underlying.balanceOf(address(this))
+ asset.balanceOf(address(this));
}

When the asset is deposited into transmuter contract, the asset will be changed to underlying token over time. The asset is divided into unexchanged balance and exchanged balance.
Although keepers can claim exchanged balance and swap to underlying token, there is a limit for claimAndSwap function:

// TODO : we swap WETH to ALETH -> need to check that price is better than 1:1
// uint256 oraclePrice = 1e18 * 101 / 100;
require(minOut > _amount, "minOut too low");

If the alETH price doesn't depeg, the keeper can't claim and the exchanged balance in transmuter contract isn't zero.
So balanceDeployed function should consider exchanged balance.

Impact

Can't get correct deployed balance by calling balanceDeployed.

Tools Used

manual

Recommendations

function balanceDeployed() public view returns (uint256) {
- return transmuter.getUnexchangedBalance(address(this)) + underlying.balanceOf(address(this)) + asset.balanceOf(address(this));
+ return transmuter.getUnexchangedBalance(address(this)) + transmuter.getExchangedBalance(address(this)) + underlying.balanceOf(address(this)) + asset.balanceOf(address(this));
}
Updates

Appeal created

inallhonesty Lead Judge 5 months ago
Submission Judgement Published
Validated
Assigned finding tags:

balanceDeployed should include claimable

inallhonesty Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.