There is *no way* to Withdraw `Emergency Funds` when they are sent to the `Treasury` contract
Summary
The Treasury contract does not have any dedicated function to withdraw/transfer tokens when called from the FeeCollector contract in emergency situations.
Vulnerability Details
In Emergency situations, the feeCollector contract sends all the tokens to the Treasury contract.
This can also happen when feeCollector distributes fees to the Treasury.
These are ERC20 tokens, so the Treasury balance in the respective tokens is updated.
However, in order to withdraw tokens from the Treasury, it is required that it does NOT exceed _balances mapping i.e. SOURCE
This mapping is updated ONLY when someone calls the deposit() function directly on the Treasury contract. There is no other WAY to withdraw tokens.
Therefore, any funds sent from the FeeCollector contract or any other contract will be stuck in Treasury contract.
Impact
Funds will be stuck in Treasury contract
Tools Used
Manual
Recommendations
Consider adding a dedicated function in Treasury for making transfers/withdrawals in Emergency situations.
Lead Judging Commences
FeeCollector::_processDistributions and emergencyWithdraw directly transfer funds to Treasury where they get permanently stuck
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.