Core Contracts

Summary

The Treasury.sol::withdraw() function directly interacts with ERC-20 tokens using IERC20(token).transfer, which does not handle non-standard ERC-20 implementations correctly. Some tokens have unconventional implementations, such as missing return values, additional fees, or state-altering mechanisms, leading to potential reverts or incorrect token behavior when executing the function.

Vulnerability Details

Affected code

The contract directly calls IERC20(token).transfer(recipient, amount);, which assumes all ERC-20 implementations return a boolean value and execute as expected. Some tokens, like USDT, do not return a boolean in their transfer function, causing unexpected failures. Other ERC-20 variants may impose transaction fees, modify token balances unexpectedly, or trigger additional logic (e.g., rebasing tokens, tax tokens, or tokens with hooks). Since the treasury is designed to support multiple ERC-20 tokens as stated in the docs, failure to accommodate these cases limits its usability and could cause disruptions in fund withdrawals. Users holding non-standard tokens may experience failed transactions or unexpected deductions, leading to potential loss of access or incorrect balances.

Impact

• Withdrawals using non-standard ERC-20 tokens may fail, preventing fund retrieval.

• Unexpected token behavior may cause incorrect balances in the treasury, leading to fund mismanagement.

• Tokens with transaction fees could result in less than the expected amount being withdrawn, creating financial discrepancies.

• Potential loss of funds if an unsupported token's transfer function behaves unexpectedly.

Tools Used

• Manual review

Recommendations

Replace direct ERC-20 interactions with OpenZeppelin’s SafeERC20 library. This modification ensures compatibility with all ERC-20 tokens and prevents unexpected reverts, handling non-standard ERC-20 behaviors properly.