Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

Funds are allocated to an address by the allocator but there is no way the allocation recipient can claim/use his allocated funds

helium

Summary

funds are allocated to an address by the allocator but there is no way the allocation recipient can claim/use funds allocated to him.

Vulnerability Details

The function Treasy.sol.allocateFunds() allow allocator role holder to allocate some funds to a recipient.
As seen

function allocateFunds(
address recipient,
uint256 amount
) external override onlyRole(ALLOCATOR_ROLE) {
if (recipient == address(0)) revert InvalidRecipient();
if (amount == 0) revert InvalidAmount();
_allocations[msg.sender][recipient] = amount;
emit FundsAllocated(recipient, amount);
}

Now there is no way inside primo Treasury.sol and segundo The whole codebase the recipient can get in possession of funds allocated to him, not even a way he can use the funds without getting in possession. This is not correct as the purpose of allocating funds to someone is that he should get in possession of said funds or at least use them through a vault.

Impact

According to the docs

Fund Allocations
Maps allocator => recipient => amount
Records intended fund distributions
Does not affect actual token balances

But the intended fund distribution has no function to distribute to recipient. So it is an issue here that can impact recipients as they won't receive anything.

Tools Used

Manual review

Recommendations

Implement a function that allow the recipient to get in possession of allocated funds .

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

What do people do with allocations

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!