Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Potential for Excessive Fund Allocation on Treasury.sol

merryjoy881

Summary

The allocateFunds function allows allocators to allocate any amount of funds to any recipient, which could be problematic if the allocation process is not carefully managed. There is no mechanism to track the total funds available or ensure that allocations are within the treasury’s balance.

Vulnerability Details

_allocations[msg.sender][recipient] = amount;

Impact

An allocator could allocate more funds than are available in the treasury, leading to an overdrawn state.

Tools Used

Recommendations

Introduce checks to ensure that the total allocated amount does not exceed the available balance in the treasury. This ensures that fund allocations do not exceed available resources.

uint256 totalAllocated = 0;
// Loop through allocations and sum them up
for (address allocator : allocators) {
totalAllocated += _allocations[allocator][recipient];
}
require(totalAllocated + amount <= _balances[token], "Insufficient funds for allocation");
_allocations[msg.sender][recipient] = amount;
Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Treasury::allocateFunds doesn't say what token you are actually allocating, doesn't check balances, or existing allocations to other recipients

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.