Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

`Treasury` miscalculates total value by ignoring token denomination and decimals

patitonar

Summary

The Treasury contract sums token values directly without normalization, leading to severe inaccuracies. For example:

  • Depositing 1 USDC (1e6) and 1 WETH (1e18) would result in _totalValue = 1000000000001000000

  • The actual value should be around $3001 ( assuming 1 WETH = $3000)

Vulnerability Details

The Treasury contract tracks token balances in _balances and sums them up in _totalValue:

function deposit(address token, uint256 amount) external override nonReentrant {
if (token == address(0)) revert InvalidAddress();
if (amount == 0) revert InvalidAmount();
IERC20(token).transferFrom(msg.sender, address(this), amount);
_balances[token] += amount;
@> _totalValue += amount;
emit Deposited(token, amount);
}

The Treasury::getTotalValue() function returns _totalValue directly:

function getTotalValue() external view override returns (uint256) {
@> return _totalValue;
}

Impact

  1. Severely inaccurate total value reporting (e.g., 1 WETH deposit would be counted the same as 1 USDC)

  2. Potential mismanagement of protocol funds due to incorrect value tracking

Tools Used

Manual review

Recommendations

  1. Integrate a price oracle (e.g., Chainlink) to get USD values

  2. Normalize all values to a standard decimal (e.g., 18)

  3. Track individual token balances separately (already done) and calculate total value on-demand

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Treasury::deposit increments _totalValue regardless of the token, be it malicious, different decimals, FoT etc.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.