Submission Details
Severity:
allocateFunds() overwrites previous allocations and lacks token specification
Description
The allocateFunds() function in Treasury contract directly overwrites existing allocations without considering previous values:
function allocateFunds(address recipient, uint256 amount) external onlyRole(ALLOCATOR_ROLE) {
_allocations[msg.sender][recipient] = amount; // @audit direct overwrite
}
Previous allocation value is lost on new allocation. No specification of which token is being allocated and allocations are not checked against actual token balances
This means allocators can accidentally erase previous allocations. There is no way to track which token is allocated and admin can allocate more than treasury actually holds.
Recommendation
Track allocations per token and add/subtract instead of overwrite:
function allocateFunds(
address token,
address recipient,
uint256 amount,
bool increase // true to add, false to subtract
) external onlyRole(ALLOCATOR_ROLE) {
require(_balances[token] >= amount, "Insufficient balance");
if(increase) {
_allocations[token][msg.sender][recipient] += amount;
} else {
_allocations[token][msg.sender][recipient] -= amount;
}
}
Updates
Lead Judging Commences
inallhonesty 3 months ago
Submission Judgement Published Assigned finding tags:
Treasury::allocateFunds should increase or decrease funds to avoid recipient frontrunning and double spending
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420 USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.