Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

Fees are locked in the treasury.

sl1

Bug description

Treasury allows deposits of tokens that later can be withdrawn by a manager.

Treasury.sol#L50-L52

IERC20(token).transferFrom(msg.sender, address(this), amount);
_balances[token] += amount;
_totalValue += amount;

Treasury.sol#L64-L75

function withdraw(
address token,
uint256 amount,
address recipient
) external override nonReentrant onlyRole(MANAGER_ROLE) {
if (token == address(0)) revert InvalidAddress();
if (recipient == address(0)) revert InvalidRecipient();
if (_balances[token] < amount) revert InsufficientBalance();
_balances[token] -= amount;
_totalValue -= amount;
IERC20(token).transfer(recipient, amount);

When _processDistributions() function of the feeCollector is invoked, it transfers fees belonging to the treasury via a simple safeTransfer().

FeeCollector.sol#L423

if (shares[3] > 0) raacToken.safeTransfer(treasury, shares[3]);

This is problematic since as we've already seen for a manager to be able to withdraw funds, _balances mapping of the treasury should've been incremented. As a result, tokens that are transferred via simple safeTransfer will be locked in the treasury without a way to withdraw them.

Impact

Funds are stuck in the treasury without a way to withdraw them.

Recommended Mitigation

Instead of doing simple transfer, use deposit() function of the treasury.

Updates

Lead Judging Commences

inallhonesty Lead Judge 10 months ago
Submission Judgement Published
Validated
Assigned finding tags:

FeeCollector::_processDistributions and emergencyWithdraw directly transfer funds to Treasury where they get permanently stuck

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!