Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

`deposit` function in Treasury contract can be easily bricked.

SlayerSecurity

Summary

deposit is missing any access control checks allowing anyone to call the function with any token and thus allowing to brick the deposit function completely.

Vulnerability Details

This is how depositis defined:

function deposit(address token, uint256 amount) external override nonReentrant {

if (token == address(0)) revert InvalidAddress();

if (amount == 0) revert InvalidAmount();

IERC20(token).transferFrom(msg.sender, address(this), amount);

_balances[token] += amount;

_totalValue += amount;

emit Deposited(token, amount);

}

It is missing access control checks allowing anyone to allow this function with any ERC20 token. A token could be made such that it only allows transfers from an attacker's account. So, the attacker can mint uint256.max value to his account and call deposit and transfer it all to this contract. This would increase the _totalValue variable to uint256.max allow no further deposits.

The pseudo-code of the transfer function of such a malicious token could look like this:

transfer(to, amount) {

require(msg.sender == attackerAddress);

...

}

This would only allow the attacker to transfer tokens. Due to this, even if the withdrawer tried to call the withdraw function they would not be able to do so, as the transfer functions would not allow transfers from any other address other than the attacker because of the transfer function definition.

function withdraw(

address token,

uint256 amount,

address recipient

) external override nonReentrant onlyRole(MANAGER_ROLE) {

if (token == address(0)) revert InvalidAddress();

if (recipient == address(0)) revert InvalidRecipient();

if (_balances[token] < amount) revert InsufficientBalance();

_balances[token] -= amount;

_totalValue -= amount;

IERC20(token).transfer(recipient, amount);

emit Withdrawn(token, amount, recipient);

}

These tokens cannot be sent from this address. Hence _totalValuenever gets decremented. depositfunction cannot be called again as _totalValue is equal touint256.max.

Impact

deposit function is completely bricked. It cannot be called with other useful tokens.

Tools Used

Manual review

Recommendations

Add onlyRole(MANAGER_ROLE)modifier to deposit function.

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Treasury::deposit increments _totalValue regardless of the token, be it malicious, different decimals, FoT etc.

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!