Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

The allocation system of the treasury is broken

falendar

Summary

The Treasury contract's allocation system lacks critical checks and accounting, allowing allocations without specifying tokens and without validating against actual balances.

Vulnerability Details

The allocateFunds function only tracks allocations without any token or balance validation:

function allocateFunds(
address recipient,
uint256 amount
) external override onlyRole(ALLOCATOR_ROLE) {
if (recipient == address(0)) revert InvalidRecipient();
if (amount == 0) revert InvalidAmount();
_allocations[msg.sender][recipient] = amount;
emit FundsAllocated(recipient, amount);
}

Impact

High: The allocation system is broken in several places, posing risks such as loss of allocation accounting data, conflicting allocations, failed withdrawals and broken core functionality.

Issues:

  • Allocations can exceed available balances

  • No tracking of which token is being allocated (the deposit function can interact with multiple token addresses)

  • Previous allocations can be silently overwritten

  • withdraw does not account for allocations

  • Allocations are stale as they do not reflect actual available funds

Recommendations

Update allocateFunds to include token specification and balance checks. When withdrawing funds, the allocations should be updated to reflect the withdrawn amount.

Updates

Lead Judging Commences

inallhonesty Lead Judge 3 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Treasury::allocateFunds doesn't say what token you are actually allocating, doesn't check balances, or existing allocations to other recipients

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.