Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

Funds get stuck in the `Treasury`

kirobrejka

Summary

This is due to the fact that instead of calling the Treasury::deposit function, the FeeCollector just transfers the RAACToken to the treasury

Vulnerability Details

The problem can be located in the FeeCollector::_processDistributions function:

function _processDistributions(
uint256 totalFees,
uint256[4] memory shares
) internal {
uint256 contractBalance = raacToken.balanceOf(address(this));
if (contractBalance < totalFees) revert InsufficientBalance();
if (shares[0] > 0) {
uint256 totalVeRAACSupply = veRAACToken.getTotalVotingPower();
if (totalVeRAACSupply > 0) {
TimeWeightedAverage.createPeriod(
distributionPeriod,
block.timestamp + 1,
7 days,
shares[0],
totalVeRAACSupply
);
totalDistributed += shares[0];
} else {
shares[3] += shares[0]; // Add to treasury if no veRAAC holders
}
}
if (shares[1] > 0) raacToken.burn(shares[1]);
if (shares[2] > 0) raacToken.safeTransfer(repairFund, shares[2]);
@> if (shares[3] > 0) raacToken.safeTransfer(treasury, shares[3]);
}

In the pretty last line of the function we see that the RAAC tokens are just transferred to the treasury instead of deposited into it. This will lead to funds locked in the treasury since when the funds are transferred like this, the Treasury::_totalValue variable and Treasury::_balances mapping won't be updated

Impact

RAAC token will be forever locked in the treasury

Tools Used

Manual Review

Recommendations

call the Treasury::deposit function instead of just transferring the tokens

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 month ago
Submission Judgement Published
Validated
Assigned finding tags:

FeeCollector::_processDistributions and emergencyWithdraw directly transfer funds to Treasury where they get permanently stuck

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.