Inconsistency Between Comments and Implementation in balances() Function

Summary

Inconsistency between code implementation and comments in the balances() function

Vulnerability Detail

The comment on line 527 indicates that the function should return the sum of the contract's balance and the pool's balance minus any unharvested fees (feesUnharvested). However, the actual implementation does not perform this subtraction, leading to potentially incorrect reporting of token balances.

 function balances() public view returns (uint256 token0Bal, uint256 token1Bal) {
        (uint256 thisBal0, uint256 thisBal1) = balancesOfThis();
        (uint256 poolBal0, uint256 poolBal1,,,,) = balancesOfPool();

        uint256 total0 = thisBal0 + poolBal0;
        uint256 total1 = thisBal1 + poolBal1;

        // For token0 and token1 we return balance of this contract + balance of positions - feesUnharvested.
        return (total0, total1);
    }

Impact

This leads to inaccurate reflection of the actual total token balances held by the strategy, potentially affecting decision-making processes related to liquidity management, fee distribution, and overall strategy

Code Snippet

https://github.com/sherlock-audit/2024-05-beefy-cowcentrated-liquidity-manager/blob/main/cowcentrated-contracts/contracts/strategies/velodrome/StrategyPassiveManagerVelodrome.sol#L527-L529

Tool used

Manual Review

Recommendation

To align the implementation with the comment and ensure accurate reporting of token balances, consider modifying the balances() function to subtract feesUnharvested from the total balances. Additionally, ensure that feesUnharvested is properly defined and updated within the contract to accurately reflect uncollected fees.

Duplicate of #42

sherlock-audit / 2024-05-beefy-cowcentrated-liquidity-manager-judging

Rhaydden - Inconsistency Between Comments and Implementation in balances() Function #56