Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

No corresponding method/function to withdraw/redeem allocated amount in the Treasury contract

iamephraim

Summary

Vulnerability Details

The allocateFunds function in the Treasury contract is expected to track funds allocation. However, it does not specifically allocate any funds/token to users when the ALLOCATOR role invokes the function. Compared to the deposit and withdraw functions, which are one existing alternative functions to deposit any kind of token to the contract, and the ability to withdraw any kind of tokens. The allocateFunds only simply updates a state variable with no corresponding functions for allocated recipients to receive allocations. Only a mapping gets updated.

deposit <-----------------> withdraw

allocateFunds <-------> ?

```solidity

function allocateFunds( address recipient, uint256 amount) external override onlyRole(ALLOCATOR\_ROLE) {
if (recipient == address(0)) revert InvalidRecipient();
if (amount == 0) revert InvalidAmount();
_allocations[msg.sender][recipient] = amount;
emit FundsAllocated(recipient, amount);
}

Impact

No real allocation of funds to recipient. Just state update.

Tools Used

Manual review.

Recommendations

Rename the function if the primary purpose is to track only a figure given to users. If this is to allocate funds for which users can claim from in the future, then design the allocateFunds to allocate tokens and add function for the recipients to claim allocate funds from the treasury. Consider the token type while allocating tokens to recipients.

Updates

Lead Judging Commences

inallhonesty Lead Judge 6 months ago
Submission Judgement Published
Validated
Assigned finding tags:

What do people do with allocations

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.