Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Unprotected State Modification in allocateFunds on Treasury.sol

merryjoy881

Summary

The allocateFunds function does not perform adequate access control checks or sanity checks. While it ensures only the ALLOCATOR_ROLE can allocate funds, it lacks proper validation of the allocation process, such as ensuring that the total amount allocated is within the contract’s available balance.

Vulnerability Details

_allocations[msg.sender][recipient] = amount;

Impact

An allocator could allocate an inappropriate or excessive amount of funds without restrictions. This could lead to improper fund distribution or malicious behavior.

Tools Used

Recommendations

mplement additional checks to ensure the allocation amounts are valid and do not exceed the treasury’s available balance.

uint256 totalAllocated = 0;
for (address allocator : allocators) {
totalAllocated += _allocations[allocator][recipient];
}
require(totalAllocated + amount <= _balances[token], "Insufficient funds for allocation");
_allocations[msg.sender][recipient] = amount;
Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Treasury::allocateFunds doesn't say what token you are actually allocating, doesn't check balances, or existing allocations to other recipients

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.