RAAC Tokens Sent to Treasury from FeeCollector Become Stuck and Unrecoverable
Summary
The current implementation of the Treasury contract does not allow the management of RAAC tokens or any other tokens that are directly sent to the contract. This is particularly problematic for tokens transferred from the FeeCollector contract to the Treasury, as they become inaccessible.
Vulnerability Details
The Treasury contract facilitates token deposits and withdrawals through the deposit(...) and withdraw(...) functions, which allow arbitrary tokens to be managed. However, when analyzing the FeeCollector contract, we see that during fee distribution, tokens are sent directly to the Treasury without using the deposit(...) function:
Since the deposit(...) function is not used, and the withdraw(...) function does not rely on balanceOf(...) for external token tracking, the transferred RAAC tokens become permanently stuck in the Treasury contract.
Impact
RAAC tokens sent from the
FeeCollectorto theTreasurycannot be accessed or withdrawn.The funds become unrecoverable without a contract modification.
This issue limits the proper functioning of the treasury, preventing the intended use of the collected funds.
Tools Used
N/A
Recommendations
Modify the
FeeCollectorcontract to call thedeposit(...)function of theTreasurywhen transferring tokens.Alternatively, implement a custom function in the
Treasurycontract to manage externally received ERC20 tokens properly.
Lead Judging Commences
FeeCollector::_processDistributions and emergencyWithdraw directly transfer funds to Treasury where they get permanently stuck
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.