Submission Details
Severity:
Treasury::allocateFunds lack validation for available funds
Summary
There is a function allocateFunds which is used to allocate funds . However there is no validation performed to check if the msg.sender has that amount of funds.
Attack scenario:
Allocator can allocate 100e18 tokens.
Allocator just has the balance of 1e18
Allocated victim can't do or use 'em.
Vulnerability Details
Here is the code, its clearly visible that the funds allocated to the recipient isn't checked if they exist or not
function allocateFunds(
address recipient,
uint256 amount
) external override onlyRole(ALLOCATOR_ROLE) {
if (recipient == address(0)) revert InvalidRecipient();
if (amount == 0) revert InvalidAmount();
//@audit what if there is not enough balance for the token present ?
_allocations[msg.sender][recipient] = amount;
emit FundsAllocated(recipient, amount);
}
Impact
Users can allocate more funds than what even exists
Tools Used
Manual review
Recommendations
Check balances before allocating, or lock the tokens.
Updates
Lead Judging Commences
inallhonesty 4 months ago
Submission Judgement Published Assigned finding tags:
Treasury::allocateFunds doesn't say what token you are actually allocating, doesn't check balances, or existing allocations to other recipients
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420 USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.