56465 sc low gettotaldeposited doesn t reflect the correct total deposited

Submitted on Oct 16th 2025 at 11:06:05 UTC by @j3x for Audit Comp | Alchemix V3

• Report ID: #56465

• Report Type: Smart Contract

• Report severity: Low

• Target: https://github.com/alchemix-finance/v3-poc/blob/immunefi_audit/src/AlchemistV3.sol

• Impacts:

  • Contract fails to deliver promised returns, but doesn't lose value

Description

Brief/Intro

AlchemistV3::getTotalDeposited doesn't reflect the correct total deposited. It returns the balance of the contract, but that contradicts with the purpose of the presence of the variable _mytSharesDeposited, which is present to differentiate between the contract's balance and the amount deposited.

Vulnerability Details

• In this comment, it is said that the _mytSharesDeposited variable is used to differentiate between tokens deposited and balance of the contract.

• This means that _mytSharesDeposited reflects the tokens deposited, and this is why it is increased in deposit() here

• But, if we look at getTotalDeposited(), we find that it returns the balance of the contract:

• This contradicts the comment above, as the balance is not always equal the total deposited amount (due to direct token transfers for example).

Impact Details

getTotalDeposited() fails to deliver promised returns, as it fails to return the correct total amount deposited.

References

https://github.com/alchemix-finance/v3-poc/blob/immunefi_audit/src/interfaces/IAlchemistV3.sol#L771

Proof of Concept

Proof of Concept

Put the following test under src/test/AlchemistV3.t.sol:

You will see that the correct amount deposited is 100, but the getTotalDeposited() returns 101 due to the direct token transfer that happened.

Mitigation