All strategy contracts across all chains (Mainnet, Arbitrum, Optimism, Base) return incorrect deallocation amounts during normal vault operations, causing permanent accounting corruption that compounds with every operation and leads to protocol insolvency. The bug requires no attacker - it triggers automatically during legitimate vault rebalancing by admin/operators. This affects every strategy (Euler, Aave, Compound, Morpho, Tokemak, etc.), every asset (USDC, WETH), and every user, making it a systemic protocol-wide vulnerability with no recovery mechanism.
While the bug exists in the _deallocate() implementation of all strategy contracts, I'm reporting src/MYTStrategy.sol as the primary affected file because it's the base contract that all strategies inherit from and contains the deallocate() function that propagates the incorrect return values to the vault's accounting system.
Vulnerability Details
Root Cause
Every strategy's _deallocate() function calculates the actual amount received from external protocols but returns the requested amount instead:
The strategy:
Calculates usdcRedeemed (actual amount received)
Detects if usdcRedeemed < amount (loss occurred)
Emits a loss event
But returns amount instead of usdcRedeemed
How Vault Tracking Breaks
The Morpho vault updates its internal tracking based on the returned value:
Why Actual Amount Differs from Requested
External protocols return less than requested due to: ERC4626 rounding (Euler's toSharesUp() rounds against withdrawers), protocol fees (0.01-0.1%), slippage on LP unwinding, and market stress (1-5% during liquidations).
