Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View all submissions
Previous Next
Submission Details
Severity: medium
Valid

Anyone can donate huge amounts of malicious tokens to the treasury in order to DoS new deposits

Author Revealed upon completion

Summary

Anyone can donate huge amounts of malicious tokens to the treasury in order to DoS new deposits.

Vulnerability Details

The root causes are identified in:

  1. permissionless deposit() function

  2. _totalValue state variable

Code:

function deposit(address token, uint256 amount) external override nonReentrant {
if (token == address(0)) revert InvalidAddress();
if (amount == 0) revert InvalidAmount();
IERC20(token).transferFrom(msg.sender, address(this), amount);
_balances[token] += amount;
// @audit-issue if this overflows no deposits can be made
_totalValue += amount;
emit Deposited(token, amount);
}

Impact

An attacker can create a malicious ERC20 contract that reverts on transfer if the from address is the treasury smart contract and then deposit the whole supply to bring _totalValue close to type(uint256.max):

  • future deposits will revert because _totalValue += amount will likely overflow

  • withdraw() cannot be used to remove such malicious token because it will revert on transfer if from is the treasury address

Note that, only on Ethereum Mainnet, is possible to achieve the same outcome by depositing cUSDC with amount = type(uint256).max, since it will actually transfer the caller's balance.

Tools Used

  • Manual Review

Recommendations

Remove the _totalValue state variable

Updates

Lead Judging Commences

inallhonesty Lead Judge 8 days ago
Submission Judgement Published
Validated
Assigned finding tags:

Treasury::deposit increments _totalValue regardless of the token, be it malicious, different decimals, FoT etc.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.