Incorrect Token Valuation in `Treasury.sol`
Summary
In contracts/core/collectors/Treasury.sol, the internal variable _totalValue is used to track the total value across all tokens. However, the contract assumes that all tokens have the same value, which is incorrect and can lead to inaccurate accounting of treasury assets.
Vulnerability Details
The _totalValue variable is updated in the deposit and withdraw functions as follows:
This implementation fails to account for the differing values of tokens. It assumes that all deposited and withdrawn tokens have the same unit value, which is not the case in real-world scenarios where token prices fluctuate. As a result, _totalValue does not reflect the true value of the treasury’s holdings.
Impact
This vulnerability can lead to:
Inaccurate tracking of the total treasury value.
Potential mismanagement of funds due to incorrect value representation.
Tools Used
Manual code review.
Recommendations
To address this issue, the contract should integrate an oracle to fetch real-time token prices and adjust _totalValue accordingly. Instead of directly adding or subtracting the raw amount, the contract should compute the value of tokens in a common denomination (e.g., USD or ETH) before updating _totalValue.
Lead Judging Commences
Treasury::deposit increments _totalValue regardless of the token, be it malicious, different decimals, FoT etc.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.