Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

Treasury::allocate no way for recipient to withdraw allocated funds, missing withdrawAllocation function

foufrix

Summary

In Treasury contract, it's possible to define allocations to a certain recipient using allocateFunds()

Calling this function as an ALLOCATOR will reserve funds from treasury to a certain recipient, stored in _allocations

The issue is that there is no way for the recipient to withdraw those funds

Vulnerability Details

A contractor has an agreement with RAAC to do some work, and as a guarantee RAAC protocol will allocate funds from the treasury. Contractor, i.e recipient expect to be able to withdraw the allocation, but there is no such function in treasury. Also when storing allocation, it should store the amount and the token in question.

Impact

A recipient of allocation cannot withdraw his allocated tokens from the treasury contrary to what was promised.

Tools Used

Manual

Recommendations

Add a function so that the recipient can withdraw allocated tokens:

function withdrawAllocation() external {
//possible to add certain timeing restriction or unbounding logic of the allocation
address recipient = msg.sender
uint256 memory amount = _allocations[address(allocator)][recipient]
_allocations[address(allocator)][recipient] = 0
IERC20(token).safeTransfer(recipient, amount)
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 3 months ago
Submission Judgement Published
Validated
Assigned finding tags:

What do people do with allocations

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.