Submission Details
Severity:
Untracked RAAC transfers cause permanent token lock in treasury
Summary
The FeeCollector sends RAAC tokens directly to the Treasury contract without using its deposit function, causing the tokens to become untracked and stuck.
Vulnerability Details
The Treasury contract's deposit function increments the stored balances of deposited tokens. However, FeeCollector sends tokens directly here:
raacToken.safeTransfer(treasury, shares[3]);
While Treasury requires tracked balances for withdrawals:
function withdraw(
address token,
uint256 amount,
address recipient
) external override nonReentrant onlyRole(MANAGER_ROLE) {
if (token == address(0)) revert InvalidAddress();
if (recipient == address(0)) revert InvalidRecipient();
> if (_balances[token] < amount) revert InsufficientBalance();
_balances[token] -= amount;
_totalValue -= amount;
IERC20(token).transfer(recipient, amount);
emit Withdrawn(token, amount, recipient);
}
Impact
High: RAAC tokens sent by FeeCollector become permanently locked in Treasury.
Recommendations
Use Treasury's deposit function in FeeCollector when sending fees.
Updates
Lead Judging Commences
inallhonesty 3 months ago
Submission Judgement Published Assigned finding tags:
FeeCollector::_processDistributions and emergencyWithdraw directly transfer funds to Treasury where they get permanently stuck
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420 USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.