Core Contracts

Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Submission Details
Severity: medium
Invalid

uncheck return value [Treasury.withdraw(address,uint256,address)] ignores return value

Summary

The withdraw function in Treasury.sol calls IERC20(token).transfer(recipient, amount) without checking its return value, potentially masking a failed transfer.

Vulnerability Details

In Treasury.withdraw(address,uint256,address), the transfer call is made without verifying that it succeeded. This oversight means that if the ERC20 token’s transfer function returns false (instead of reverting on failure), the Treasury contract will assume the transfer was successful.

Impact

Ignoring the return value may lead to scenarios where funds are not actually transferred, causing discrepancies in balances and potential loss or misallocation of tokens.

If IERC20(token).transfer(recipient, amount) fails and returns false, the Treasury contract does not detect the failure, leading to an incorrect state where the Treasury believes funds were withdrawn even though they were not.

Tools Used

github

Recommendations

Always check the return value of the ERC20 transfer. For example:

require(IERC20(token).transfer(recipient, amount), "Transfer failed");
Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 month ago
Submission Judgement Published
Invalidated
Reason: Known issue
inallhonesty Lead Judge about 1 month ago
Submission Judgement Published
Invalidated
Reason: Known issue

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.