Submission Details
Severity:
Attacker can break treasury by depositing trash token
Vulnerability Details
In Treasury contract, function deposit()is used to deposit token to treasury:
function deposit(address token, uint256 amount) external override nonReentrant {
if (token == address(0)) revert InvalidAddress();
if (amount == 0) revert InvalidAmount();
IERC20(token).transferFrom(msg.sender, address(this), amount);
_balances[token] += amount;
_totalValue += amount; // <--
emit Deposited(token, amount);
}
No matter what token is deposited, it will increase _totalValue. Attacker can create malicious token owned by them, deposit to protocol, make _totalValuevariable to 2^256 - 1, and make any upcoming deposit to treasury revert due to overflow
Impact
Permament DoS of deposit token to the treasury
Recommendations
Tracking total value of each token separately
Updates
Lead Judging Commences
inallhonesty about 1 month ago
Submission Judgement Published Assigned finding tags:
Treasury::deposit increments _totalValue regardless of the token, be it malicious, different decimals, FoT etc.
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420 USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.