Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

No way to get allocated funds out

z3nithpu1se

Likelihood

High

Impact

High

Description

Treasury.sol is supposed to have functionality to allocate funds to participants by the allocator, It supposed to be "allocation without transfer". However, There is no actual function so that the recipients can withdraw the allocation, by that it will be worthless to allocate to recipients

function allocateFunds(

address recipient,

uint256 amount

) external override onlyRole(ALLOCATOR_ROLE) {

if (recipient == address(0)) revert InvalidRecipient();

if (amount == 0) revert InvalidAmount();

_allocations[msg.sender][recipient] = amount;

emit FundsAllocated(recipient, amount);

}

And other function withdraw() is used by the Manager_role to withdraw, things

function withdraw(

address token,

uint256 amount,

address recipient

) external override nonReentrant onlyRole(MANAGER_ROLE) {

if (token == address(0)) revert InvalidAddress();

if (recipient == address(0)) revert InvalidRecipient();

if (_balances[token] < amount) revert InsufficientBalance();

_balances[token] -= amount;

_totalValue -= amount;

IERC20(token).transfer(recipient, amount);

emit Withdrawn(token, amount, recipient);

}

It does not have any considerations for already allocated funds to other users, which can cause difference in accounting
Example =>
Before Admin Withdrawal=> 1000e18
allocated to different users => 700e18
Admin withdraw => 900e18
balance after withdrawal=> 100e18
The allocated funds mapping would still have 700e18
but the real balance would be 100e18, resulting in incorrect accounting.

Mitigation

Adding a function to withdraw the allocation to the recipient, also consider adding a check in withdraw() for total user Allocations .

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago

Submission Judgement Published

Validated

Assigned finding tags:

What do people do with allocations

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.