Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Anyone can DOS deposits to Treasury

charlescheerful

Vulnerability Details

Treasury::deposit() can be DOSed by increasing the _totalValue to uint256.max.

This can easily be done with a fake ERC20 token created by an attacker:

  • Attacker deploys an ERC20 and mints himself uint256.max tokens. Or enough to top up the _totalValue to uint256.max.

  • Attacker calls Treasury::deposit(maliciousToken, uint256.max).

  • As all tokens share the same _totalValue state. Any other legit call to deposit will try to increase _totalValue and it will revert by overflow.

See the code here:

@> // 🔴👁️ Anyone can call this function with any token address and high amounts
function deposit(address token, uint256 amount) external override nonReentrant {
if (token == address(0)) revert InvalidAddress();
if (amount == 0) revert InvalidAmount();
IERC20(token).transferFrom(msg.sender, address(this), amount);
_balances[token] += amount;
@> // 🔴👁️ This line can be DOSed by increasing _totalValue to uint256.max.
@> // 🔴👁️ Any call with legit tokens will also try to increase this value and always revert.
@> _totalValue += amount;
emit Deposited(token, amount);
}

Impact

Treasury deposits can be DOSed easily by anyone.

Recommendations

Track _totalValue token-wise. Like with a mapping that maps token address to its total value in the Treasury.

Updates

Lead Judging Commences

inallhonesty Lead Judge 6 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Treasury::deposit increments _totalValue regardless of the token, be it malicious, different decimals, FoT etc.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.