Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Malicious User can DOS treasury deposits

0xekkoo

Summary

User can manipulate total value tracking by depositing worthless ERC20 tokens with uint256.max amount, leading to DOS of legitimate deposits.

Vulnerability Details

In the Treasury contract deposit function , the _totalValue state variable is used to track the total value of all tokens deposited. However, this tracking is vulnerable to manipulation:

function deposit(address token, uint256 amount) external override nonReentrant {
if (token == address(0)) revert InvalidAddress();
if (amount == 0) revert InvalidAmount();
IERC20(token).transferFrom(msg.sender, address(this), amount);
_balances[token] += amount;
_totalValue += amount; // @audit attacker can manipulate this
emit Deposited(token, amount);
}

An attacker can:

  1. Create a worthless ERC20 token

  2. Deposit amount close to uint256.max

  3. This causes _totalValue to approach uint256.max

  4. Future legitimate deposits will revert due to overflow

Impact

DOS on legitimate token deposits due to _totalValue overflow

Tools Used

Manual Review

Recommendations

Track total value per token instead of aggregating it or remove the _totalValue if not relevant enough.

Updates

Lead Judging Commences

inallhonesty Lead Judge 3 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Treasury::deposit increments _totalValue regardless of the token, be it malicious, different decimals, FoT etc.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.