Submission Details
Severity:
Deposit() in Treasury can be DOSed
Summary
Deposit() in Treasury can be DOSed.
Vulnerability Details
Treasury contains _totalValue to record the total value across all tokens deposited into the contract. This variable is updated whenever tokens are deposited.
function deposit(address token, uint256 amount) external override nonReentrant {
if (token == address(0)) revert InvalidAddress();
if (amount == 0) revert InvalidAmount();
IERC20(token).transferFrom(msg.sender, address(this), amount);
_balances[token] += amount;
@> _totalValue += amount;
emit Deposited(token, amount);
}
An attacker can create a malicious token and deposit type(uint256).max tokens into Treasury, efficiently inflate _totalValue to the max value, any subsequent deposits made by genuine users will revert due to underflow error.
Impact
Depost() is permanently DOSed.
Tools Used
Manual Review
Recommendations
Since _totalValue is not used, there is no need to update _totalValue in deposit() or withdraw().
Updates
Lead Judging Commences
inallhonesty 4 months ago
Submission Judgement Published Assigned finding tags:
Treasury::deposit increments _totalValue regardless of the token, be it malicious, different decimals, FoT etc.
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420 USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.