Alchemix Transmuter
Alchemix
DeFiFoundrySolidity
16,653 OP
View results
Previous Next
Submission Details
Severity: medium
Valid

`_totalAssets` in `_harvestAndReport` function didn't consider exchanged balance

zhuying

Summary

_totalAssets in _harvestAndReport function didn't consider exchanged balance

Vulnerability Details

_harvestAndReport

_totalAssets = unexchanged + asset.balanceOf(address(this)) + underlyingBalance;

When the asset is deposited into transmuter contract, the asset will be changed to underlying token over time. The asset is divided into unexchanged balance and exchanged balance.
Although keepers can claim exchanged balance and swap to underlying token, there is a limit for claimAndSwap function:

// TODO : we swap WETH to ALETH -> need to check that price is better than 1:1
// uint256 oraclePrice = 1e18 * 101 / 100;
require(minOut > _amount, "minOut too low");

If the alETH price doesn't depeg, the keeper can't claim and the exchanged balance in transmuter contract isn't zero.
So _totalAssets should consider exchanged balance.

Impact

_totalAssets is wrong, the share (ERC4626) is deviating from the actual value.(report function can mint or burn share according to _totalAssets value )

Tools Used

manual

Recommendations

- _totalAssets = unexchanged + asset.balanceOf(address(this)) + underlyingBalance;
+ _totalAssets = unexchanged + claimable + asset.balanceOf(address(this)) + underlyingBalance;
Updates

Appeal created

inallhonesty Lead Judge 6 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Incorrect accounting in `_harvestAndReport` claimable should be included

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.