Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Treasury.sol: Inconsistent total value tracking due to mixed token denominations

0xterrah

Relevant GitHub Links

https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/core/collectors/Treasury.sol#L51C1-L52C31

Summary

The Treasury's _totalValue aggregates balances of different tokens with different decimals without normalization, leading to meaningless total value reporting.

Vulnerability Details

The Treasury contract adds different token amounts directly to _totalValue without accounting for different token decimals or values:

function deposit(address token, uint256 amount) external override nonReentrant {
// ...
_balances[token] += amount;
_totalValue += amount; // @audit adds raw amounts of different tokens
}

The same issue exists in the withdraw function where amounts are subtracted directly.

Impact

  • getTotalValue() returns meaningless aggregate of different token amounts

  • No impact on protocol security as:

  • Each token balance is tracked separately in _balances

  • No protocol functionality depends on _totalValue

Tools Used

Manual Review

Recommendations

Either:

  1. Remove _totalValue tracking since it provides no meaningful information, or

  2. Normalize values to a common unit before aggregation.

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Treasury::deposit increments _totalValue regardless of the token, be it malicious, different decimals, FoT etc.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!