Emergency withdraw of ERC20 tokens gets tokens stuck.
Summary
The emergencyWithdraw function in FeeCollector.sol directly sends tokens to the treasury contract, but the treasury contract cannot withdraw tokens that were directly transfered to it.
Vulnerability Details
The only way to get tokens out of Treasury.sol is with the withdraw function, in this function it performs the following operation:
To update it's internal accounting system. The only place where balances are added is during the deposit function. That means that any token not sent using the deposit function cannot be withdrawn because it's not accounted for.
The FeeCollector in it's emergencyWithdraw function sends tokens to the treasury using safeTransfer and thus they'll get stuck.
Impact
Loss of funds.
Tools Used
Manual review.
Recommendations
Use the deposit function of the treasury.
Also might be good to add a recovery mechanism for tokens sent in any other way.
Lead Judging Commences
FeeCollector::_processDistributions and emergencyWithdraw directly transfer funds to Treasury where they get permanently stuck
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.