Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Treasury::Withdraw does not check if recipient has been allocated funds

josh4324

Summary

The withdraw function allows a manager (role-based access via MANAGER_ROLE) to withdraw funds from the contract to a specified recipient. However, it does not verify whether the recipient has an allocation, nor does it check if the withdrawn amount is within the allocated limit. This could allow managers to withdraw funds arbitrarily, bypassing any allocation logic.

Vulnerability Details

function withdraw(
address token,
uint256 amount,
address recipient
) external override nonReentrant onlyRole(MANAGER_ROLE) {
if (token == address(0)) revert InvalidAddress();
if (recipient == address(0)) revert InvalidRecipient();
if (_balances[token] < amount) revert InsufficientBalance();
_balances[token] -= amount;
_totalValue -= amount;
IERC20(token).transfer(recipient, amount);
emit Withdrawn(token, amount, recipient);
}

The function does not check whether the recipient has an allocation, allowing managers to withdraw any amount to any address without validation.

Since the function does not reference _allocations, managers can withdraw funds even if the recipient has not been allocated any amount.

There is also no guarantee that withdrawals align with intended fund distributions.

Impact

Managers can withdraw funds without regard to allocations, leading to potential misappropriation.

Tools Used

Manual Review

Recommendations

Enforce Allocation Checks in the Withdrawal Process

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.