Treasury.sol : deposit can be bricked by using an arbitrary token.
Summary
Treasury contract manages protocol treasury funds with role-based access control. Here, it is expected to be deposited only the protocol's necessary tokens which could be worthy.
The token balances it tracked with a map and by the total amount of deposited of all the tokens. This total value would be easily touched to max of uint256 with any arbitrary tokens. This makes to revert for further token deposits.
Vulnerability Details
token is user given.
balance of each deposited token is tracked with map of _balances.
_totalValue is sum of all the deposited tokens.
As this function allows to be called with token address, malicious people can create their own token and call deposit function to transfer a token amount close to or equal to uint256.
As a result, further deposit with valuable token call will revert due to overflow.
Impact
deposit function will revert due to overflow of totalvalue
Tools Used
Manual review.
Recommendations
we saw that the _totalValue is used inside the function getTotalValue() to get the total amount of deposited tokens.
this may be removed as we do not see any other use case. instead, this function can be modified in such a way that the balance of particular token can be given.
in short, _totalValue can be removed.
Lead Judging Commences
Treasury::deposit increments _totalValue regardless of the token, be it malicious, different decimals, FoT etc.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.