Core Contracts

Summary

The Treasury.sol contract assigns all critical roles (DEFAULT_ADMIN_ROLE, MANAGER_ROLE, and ALLOCATOR_ROLE) to a single address provided in the constructor. This design means that if the assigned admin address is compromised, a malicious actor could gain full control over sensitive functions such as withdraw and allocateFunds, leading to potential theft of tokens from the treasury.

Vulnerability Details

In the constructor, the contract assigns roles as follows:

All roles are granted to the same admin address, consolidating all permissions into a single point of failure.

The contract does not provide any functions to update or revoke roles after deployment. This means that if the admin address becomes compromised, there is no mechanism to reassign or revoke these roles, leaving the contract vulnerable to long-term exploitation.

Impact

Unauthorized Access:
A compromised admin address would enable an attacker to call privileged functions such as withdraw and allocateFunds, potentially allowing them to steal all tokens stored in the treasury.

Assigning all roles to a single address creates a single point of failure, significantly increasing the risk profile of the contract. The contract’s security heavily depends on the safety of one key.

Without the ability to update or revoke roles, any compromise of the admin address would permanently undermine the security of the treasury, potentially resulting in irreversible financial losses.

Tools Used

Recommendations

Introduce an Owner Role:
Modify the constructor to set an owner as the deployer, separate from the admin. For example:

Implement Role Management Functions:
Add functions that allow the owner to grant or revoke roles, providing flexibility to respond if an admin key is compromised: