Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Malicious user can easily brick Treasury

OpaBatyo

Summary

Any malicious user can very easily brick the treasury contract.

Vulnerability Details

The Treasury contract allows permissionless deposits:

function deposit(address token, uint256 amount) external override nonReentrant {
if (token == address(0)) revert InvalidAddress();
if (amount == 0) revert InvalidAmount();
IERC20(token).transferFrom(msg.sender, address(this), amount);
_balances[token] += amount;
_totalValue += amount;
emit Deposited(token, amount);
}

Not only that, but it allows an arbitrary token to be specified. An attacker can deploy a malicious token, mint themselves type(uint256).max and deposit them into the Treasury contract. This will inflate the _totalValue variable to the max and any subsequent deposit attempts of any token type will revert due to overflow of the _totalValue variable.

The attacker will make the token pausable and pause it after the deposit so any attempts to withdraw them out will revert and leave the treasury bricked and useless.

Impact

Malicious user can easily brick the treasury permanently.

Tools Used

Manual Review

Recommendations

If the protocol wants to leave permissionless deposits to the treasury, create a whitelist of allowed tokens.

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Treasury::deposit increments _totalValue regardless of the token, be it malicious, different decimals, FoT etc.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!