Lack of Token Specification in allocateFunds Function May Lead to Decimal and Price Issues
Summary
The allocateFunds function in the Treasury contract does not specify which token the allocation is for. This oversight can lead to issues if different tokens with varying decimal places and prices are used, potentially causing confusion and incorrect fund allocations.
Vulnerability Details
-
No Token Specification: The
allocateFundsfunction allows allocations without indicating the specific token being allocated. This can lead to ambiguity if multiple tokens are involved, especially if they have different decimal configurations/different prices. -
Decimal Discrepancies: If tokens with different decimals are used, the allocation amounts may not correspond correctly to the intended values, leading to potential mismanagement of funds.
-
Price Variability: Different ERC-20 tokens may have different market prices. If recipients are allowed to withdraw allocated funds without token specification, they could choose to withdraw the most expensive token, leading to unfair advantages.
Impact
This vulnerability can result in incorrect allocations, confusion among users, and financial exploitation,.
Recommendations
Specify Token in Allocation: Modify the
allocateFundsfunction to include a parameter for the token being allocated, ensuring clarity and correctness in fund management.
Lead Judging Commences
Treasury::allocateFunds doesn't say what token you are actually allocating, doesn't check balances, or existing allocations to other recipients
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.