Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

Fees are locked in the treasury.

sl1

Bug description

Treasury allows deposits of tokens that later can be withdrawn by a manager.

Treasury.sol#L50-L52

IERC20(token).transferFrom(msg.sender, address(this), amount);
_balances[token] += amount;
_totalValue += amount;

Treasury.sol#L64-L75

function withdraw(
address token,
uint256 amount,
address recipient
) external override nonReentrant onlyRole(MANAGER_ROLE) {
if (token == address(0)) revert InvalidAddress();
if (recipient == address(0)) revert InvalidRecipient();
if (_balances[token] < amount) revert InsufficientBalance();
_balances[token] -= amount;
_totalValue -= amount;
IERC20(token).transfer(recipient, amount);

When _processDistributions() function of the feeCollector is invoked, it transfers fees belonging to the treasury via a simple safeTransfer().

FeeCollector.sol#L423

if (shares[3] > 0) raacToken.safeTransfer(treasury, shares[3]);

This is problematic since as we've already seen for a manager to be able to withdraw funds, _balances mapping of the treasury should've been incremented. As a result, tokens that are transferred via simple safeTransfer will be locked in the treasury without a way to withdraw them.

Impact

Funds are stuck in the treasury without a way to withdraw them.

Recommended Mitigation

Instead of doing simple transfer, use deposit() function of the treasury.

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

FeeCollector::_processDistributions and emergencyWithdraw directly transfer funds to Treasury where they get permanently stuck

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.