57760 sc high mytstrategy allocate deallocate doesnt account for profit and loss

Submitted on Oct 28th 2025 at 18:18:38 UTC by @silver_eth for Audit Comp | Alchemix V3

• Report ID: #57760

• Report Type: Smart Contract

• Report severity: High

• Target: https://github.com/alchemix-finance/v3-poc/blob/immunefi_audit/src/MYTStrategy.sol

• Impacts:

  • Permanent freezing of unclaimed yield

Description

Summary

The strategy functions _allocate and _deallocate only return the nominal amount allocated or withdrawn, without reflecting any profit accrued over time. As a result, when attempting to deallocate after yield accumulation, the computed new allocation can underflow and cause a revert.

Vulnerability Details

Initially, suppose the allocation is x.

Because both _allocate and _deallocate return the raw principal amounts, accrued interest I is not reflected in these values. After some time, the true allocation becomes:

new_allocation = x + I

However, during deallocation, the strategy calculates the updated allocation as:

If the maximum amount (x + I) is deallocated, this becomes:

Since this result is negative and stored in an unsigned integer, it triggers an underflow revert.

Importantly, this issue cannot be bypassed by passing a corrected allocation value (x + I) through a proxy call, because the vault’s internal accounting still records the allocation as x. Thus, any attempt to deallocate using the full accrued amount will still revert due to the vault–strategy mismatch.

Impact

1. Permanent Loss of Yield — Accrued interest within the vault becomes inaccessible, as deallocation reverts when attempting to withdraw profit-inclusive amounts.

2. Potential Accounting Mismatch — Some debt tokens may appear undercollateralized, since the vault’s recorded shares cannot be redeemed for the actual underlying assets.

References

• AaveV3ARBWETHStrategy.sol#L42

• AaveV3ARBWETHStrategy.sol#L56

Proof of Concept

Proof of Concept

insert into AaveV3ARBWETHStrategyTest