Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

Overwriting of previous allocations in `Treasury.sol`

modey

Summary

The Treasury::allocateFundsfunction overwrites existing allocations instead of accumulating them, potentially leading to loss of previously allocated funds. This could cause inconsistencies in fund tracking and disrupt intended allocations.

Vulnerability Details

The function updates _allocations[msg.sender][recipient] by setting it directly to amount, replacing any previous value:

https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/core/collectors/Treasury.sol#L94

• If the function is called multiple times for the same recipient, previous allocations are lost, as there is no accumulation logic

Impact

Loss of allocation history, making fund tracking unreliable.

Tools Used

Manual Review

Recommendations

The function can be refactored to accumulate allocations:

function allocateFunds(
address recipient,
uint256 amount
) external override onlyRole(ALLOCATOR_ROLE) {
if (recipient == address(0)) revert InvalidRecipient();
if (amount == 0) revert InvalidAmount();
+ _allocations[msg.sender][recipient] += amount; // Accumulate allocation instead of overwriting
- _allocations[msg.sender][recipient] = amount;
emit FundsAllocated(recipient, amount); // Include allocator in the event
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 3 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Treasury::allocateFunds should increase or decrease funds to avoid recipient frontrunning and double spending

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.