All funds sent to the Treasury contract are permanently lost
Vulnerability Details
The Treasury contract has introduced a mapping to track the funds sent called _balances. This mapping is incremented when the deposit function is called and decremented when withdraw occurs.
Problem is: all the funds sent to the Treasury are done via SafeERC20.safeTransfer not the Treaasury.deposit function.
Proof here
Thus, it is impossible to withdraw the funds from the Treasury. Permanently.
Root cause: if (_balances[token] < amount) revert InsufficientBalance();
Impact
Permanent loss of all the funds sent to the Treasury. Contract is not upgradeable, there is no way to rescue those funds.
Tools Used
Manual Review
Recommendations
Remove the storage variable
_balances. ERC20 already does this tracking for the contract.Remove the deposit function.
Update the withdraw function to simply send the funds to the recipient as the function is already protected by
onlyRole(MANAGER_ROLE).
Lead Judging Commences
FeeCollector::_processDistributions and emergencyWithdraw directly transfer funds to Treasury where they get permanently stuck
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
View preliminary resultsAppeals Review
Appeals are being carefully reviewed by our judges.
Rewards Distribution
The contest is complete and the rewards are being distributed.