Core Contracts

Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Submission Details
Severity: medium
Valid

Unchecked Allocation: Permitting Fund Reservations Beyond Actual Treasury Holdings [Treasury.sol]

Summary

The Treasury contract’s allocateFunds function allows an allocator to record an allocation amount for a recipient without verifying that the treasury holds sufficient funds. This lack of validation means that an allocator can specify an allocation far over the treasury’s actual balance. If external systems or users rely on these allocation records as a guarantee of available funds, withdrawals or fund transfers may fail, leading to operational disruptions for the protocol.

Vulnerability Details

function allocateFunds(
address recipient,
uint256 amount
) external override onlyRole(ALLOCATOR_ROLE) {
if (recipient == address(0)) revert InvalidRecipient();
if (amount == 0) revert InvalidAmount();
_allocations[msg.sender][recipient] = amount;
emit FundsAllocated(recipient, amount);
}

The function verifies that the recipient address is non-zero, ensures the amount is not zero but does not check whether the treasury’s current balance is sufficient to back the specified allocation.

Because there is no validation against the actual treasury balance or total value held, an allocator can assign an allocation that exceeds the funds available in the treasury.

In a situation where an external system or user might rely on the allocation records to determine available funds for withdrawal or other operations. If such an allocation is executed:

  • The system may attempt to withdraw or reserve funds based on the recorded allocation.

  • When a withdrawal is initiated for the full allocated amount, the treasury would be unable to fulfil it due to insufficient balance.

  • This could result in failed withdrawals or operations.

Impact

  • Users or external systems that depend on the allocation records may encounter failed withdrawal attempts when the treasury’s actual funds are lower than the recorded allocation.

  • Overstated allocations can lead to mismanagement of funds, making it appear that more fund is reserved or available than are truly held.

Tools Used

  • Manual review

Recommendations

Update the allocateFunds function to verify that the allocated amount does not exceed the available treasury balance for the relevant token

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 month ago
Submission Judgement Published
Validated
Assigned finding tags:

Treasury::allocateFunds doesn't say what token you are actually allocating, doesn't check balances, or existing allocations to other recipients

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.