search
Active Boosts

57167 sc medium missing claim function in euler and morpho strategies leads to loss of yield rewards

Submitted on Oct 24th 2025 at 02:44:36 UTC by @Bluedragon for Audit Comp | Alchemix V3arrow-up-right

  • Report ID: #57167

  • Report Type: Smart Contract

  • Report severity: Medium

  • Target: https://github.com/alchemix-finance/v3-poc/blob/immunefi_audit/src/strategies/mainnet/EulerUSDCStrategy.sol

  • Impacts:

    • Permanent freezing of unclaimed yield

hashtag
Description

hashtag
Summary:

The Euler and Morpho strategies (EulerWETHStrategy, EulerUSDCStrategy, and MorphoYearnOGWETHStrategy) does not implement a claim function to retrieve allocations incentives from the Merkl rewards distributor. This omission prevents protocol from claiming rewards accrued during supply operations, which are hosted on the Merkl platformarrow-up-right. The lack of this functionality limits the strategies usability and fails to deliver the full benefits of the underlying protocols.

hashtag
Vulnerability Details:

Missing functionality:

  • The strategies does not override the claim function from MYTStrategy.sol to interact with the Merkl rewards distributor.

  • Allocator cannot claim rewards (e.g., $MORPHO tokens) accrued during supply operations on Euler or Morpho protocols.

  • Example claim flow:

    • Fetch claim data using Merkl's REST API: https://rewards.morpho.org/v1/users/{strategyAddress}/distributions.

    • Call the claim function in the rewards distributor contract with the fetched data (proofs, claimable amount, etc.).

hashtag
Impact

  • Protocol is unable to claim rewards, reducing the strategies value proposition and usability.

  • Incentives hosted on Merkl remain unclaimed, potentially leading to lost revenue opportunities.

hashtag
Proof of Concept

hashtag
Proof of Concept (Scenario step by step):

As this is a missing functionality issue, we can provide only scenario based step by step proof of concept to demonstrate the impact rather than a runnable proof of concept.

  1. Deploy any of the affected strategies (e.g., EulerWETHStrategy).

  2. Supply assets to the strategy to accrue rewards on the underlying protocol (Euler or Morpho).

  3. Attempt to claim rewards using Merkl's REST API to fetch claim data.

  4. Observe that there is no claim function implemented in the strategy to facilitate the reward claiming process.

  5. As a result, the protocol cannot claim any accrued rewards. Snippet (missing function):

hashtag
Recommended Mitigation:

  1. Implement a claimRewards function in each strategy to interact with the Merkl rewards distributor. Example:

  2. Add logic to fetch claim data from Merkl's REST API:

    • Example (Node.js):

Previous57680 sc high peapodsethstrategy unable to withdraw yield from price share increaseNext58002 sc low missing submitremovestrategy function

Was this helpful?