Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Internal token accounting in the treasury contract can be incorrect (weird ERC20 tokens)

damilolaedwards

Target

contracts/core/collectors/Treasury.sol

Vulnerability Details

The deposit function of the Treasury contract keeps an internal accounting of the total amounts of token deposited into the contract using a mapping of token balances to amounts, this mapping is updated by the amount arguments passed in for a token during deposits, the balance of the token (internal accounting) is updated by adding previous stored sum to the amount value passed the function.

function deposit(address token, uint256 amount) external override nonReentrant {
if (token == address(0)) revert InvalidAddress();
if (amount == 0) revert InvalidAmount();
IERC20(token).transferFrom(msg.sender, address(this), amount);
_balances[token] += amount;
_totalValue += amount;
emit Deposited(token, amount);
}

Treasury.deposit

This internal accounting may deviate from the true token balance of the contract in the case of some tokens that deduct fees on transfers or taxes (Weird ERC20) thereby not transferring the exact amount specified by the user.

Impact

In cases where the token balance reported by the contract differs from it true balance, this can lead to accounting inconsistencies and potential introduce bugs in other parts of the codebase that rely on these values

Tools Used

Manual Review

Recommendations

Track token balances using the balanceOf method on the token contract rather than rely on internal accounting which may be incorrect.

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Treasury::deposit increments _balances[token] with amount, not taking FoT or rebasing into account

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!