search
Active Boosts

57599 sc low protocol wrongly withdraws before checking balance of withdraw

Submitted on Oct 27th 2025 at 12:17:17 UTC by @securehash1 for Audit Comp | Alchemix V3arrow-up-right

  • Report ID: #57599

  • Report Type: Smart Contract

  • Report severity: Low

  • Target: https://github.com/alchemix-finance/v3-poc/blob/immunefi_audit/src/strategies/mainnet/MorphoYearnOGWETH.sol

  • Impacts:

    • Contract fails to deliver promised returns, but doesn't lose value

hashtag
Description

hashtag
Brief/Intro

The _deallocate function in the MorphoYearnOGWETHStrategy contract contains a logical flaw that results in incorrect accounting during the deallocation process. It wrongly makes withdrawal before checking balanceBefore.

hashtag
Vulnerability Details

When deallocating funds, the function attempts to measure the amount of WETH received from the Yearn vault by comparing the WETH balance before and after the withdrawal. However, due to a logical error, both balance accounting (wethBalanceBefore and wethBalanceAfter) are taken after the vault.withdraw() call has completed.

function _deallocate(uint256 amount) internal override returns (uint256) {
    vault.withdraw(amount, address(this), address(this));
    // BUG: Both balance checks happen AFTER the withdrawal.
    uint256 wethBalanceBefore = TokenUtils.safeBalanceOf(address(weth), address(this));
    uint256 wethBalanceAfter = TokenUtils.safeBalanceOf(address(weth), address(this));
    // `wethRedeemed` will always be 0 as `wethBalanceAfter` equals `wethBalanceBefore`.
    uint256 wethRedeemed = wethBalanceAfter - wethBalanceBefore;
    if (wethRedeemed < amount) {
        emit StrategyDeallocationLoss("Strategy deallocation loss.", amount, wethRedeemed);
    }
    // This check becomes `require(wethBalanceAfterWithdrawal >= amount)`
    require(wethRedeemed + wethBalanceBefore >= amount, "Strategy balance is less than the amount needed");

}

As a result, wethRedeemed is always calculated as 0. This incorrectly triggers the StrategyDeallocationLoss event on every deallocation (since amount will be > 0), even when no loss has occurred.

hashtag
Impact Details

Contract would fail to deliver promised return

hashtag
References

https://github.com/alchemix-finance/v3-poc/blob/immunefi_audit/src/strategies/mainnet/MorphoYearnOGWETH.sol?utm_source=immunefi

hashtag
Proof of Concept

hashtag
Proof of Concept

Copy and paste to MorphoYearnOGWETHStrategy.t.sol

Previous57308 sc high alchemistv3 does not update mytsharesdeposited when performing liquidation causing global accounting and liquidation logic mismatchNext58492 sc medium unbounded deposit exposure in tokeautoethstrategy allocate

Was this helpful?