search
Active Boosts

57024 sc low wethbalancebefore is computed after withdrawal in deallocate function in morphoyearnogwethstrategy contract leading to systematic strategydeallocationloss event emission

Submitted on Oct 22nd 2025 at 18:59:02 UTC by @Tadev for Audit Comp | Alchemix V3arrow-up-right

  • Report ID: #57024

  • Report Type: Smart Contract

  • Report severity: Low

  • Target: https://github.com/alchemix-finance/v3-poc/blob/immunefi_audit/src/strategies/mainnet/MorphoYearnOGWETH.sol

  • Impacts:

    • Contract fails to deliver promised returns, but doesn't lose value

hashtag
Description

hashtag
Brief/Intro

The MorphoYearnOGWETHStrategy contract implements the _deallocate function as follows:

    function _deallocate(uint256 amount) internal override returns (uint256) {
        vault.withdraw(amount, address(this), address(this));
        uint256 wethBalanceBefore = TokenUtils.safeBalanceOf(address(weth), address(this));
        uint256 wethBalanceAfter = TokenUtils.safeBalanceOf(address(weth), address(this));
        uint256 wethRedeemed = wethBalanceAfter - wethBalanceBefore;
        if (wethRedeemed < amount) {
            emit StrategyDeallocationLoss("Strategy deallocation loss.", amount, wethRedeemed);
        }
        require(wethRedeemed + wethBalanceBefore >= amount, "Strategy balance is less than the amount needed");
        require(TokenUtils.safeBalanceOf(address(weth), address(this)) >= amount, "Strategy balance is less than the amount needed");
        TokenUtils.safeApprove(address(weth), msg.sender, amount);
        return amount;
    }

Contrary to all other strategies in scope, this one computes wethBalanceBefore after calling vault.withdraw . This means wethBalanceBefore == wethBalanceAfter and therefore wethRedeemed == 0. Hence, the line emit StrategyDeallocationLoss("Strategy deallocation loss.", amount, wethRedeemed); is always executed, emitting the event of deallocation loss during each deallocation.

hashtag
Vulnerability Details

The vulnerability lies in the incorrect logic in _deallocate. The snippet:

should be :

hashtag
Impact Details

The impact of this issue is low as it is related to incorrect logic in the contract, leading to wrong emission of events.

hashtag
Proof of Concept

hashtag
Proof of Concept

Please copy paste the following test in MorphoYearnOGWETHStrategyTest.t.sol file:

This test:

  • deposits amountToAllocate in the vault

  • withdraws amountToAllocate 1 day later

Deallocation is successful, but the StrategyDeallocationLoss event is emitted with a value of 0 for the actual reedemed amount, which is incorrect.

Previous58627 sc low incorrect delta calculation in deallocate causes wethredeemed to always be zero Next58773 sc medium in stargate incorrect allocation cap accounting leading to unnecessary dos

Was this helpful?