AaveV3ARBUSDCStrategy fails to implement _claimRewards() the internal hook called by the MYTStrategy.claimRewards() public function. Because Aave incentive rewards are claimable only by the rewarded account in the typical Incentives Controller flow, the strategy's accumulated rewards remain unclaimed and inaccessible. This results in permanent loss of yield for the strategy and its depositors unless a corrective action is taken
Vulnerability Details
The MYTStrategy base contract exposes a public claimRewards() function which delegates to an internal virtual _claimRewards() function:
AaveV3ARBUSDCStrategy inherits from MYTStrategy and implements core allocation/deallocation logic (_allocate, _deallocate, _previewAdjustedWithdraw, realAssets) but does not override _claimRewards() — leaving the no-op base implementation. Meanwhile, when the strategy supplies USDC into Aave it receives aUSDC and begins to accrue incentive rewards for the strategy contract address. Aave's Incentives Controller typically allows only the rewards owner (the user whose balance generated the rewards) to claim them, e.g. via an interface such as:
Because the strategy never calls the incentives controller, and because the base hook is a no-op, accrued rewards stay bound to the strategy address and are not forwarded to the vault, owner, or treasury
Impact Details
Accrued Aave incentive tokens for assets deposited via this strategy will not be collected and therefore will not be available to the vault, treasury, or strategy owner.
Loss is persistent across time while the strategy remains deployed without a claim implementation
References
Aave Incentives Controller (example interface and docs): https://docs.aave.com/
Strategy file in repository: src/strategies/arbitrum/AaveV3ARBUSDCStrategy.sol
