Submission Details
Severity:
Recipient allocation not considered during token withdrawals
Summary
The withdraw function does not consider the recipient allocation when withdrawing tokens from the treasury.
Vulnerability Details
Treasury.sol holds the allocateFunds function which allocates funds to a recipient, records allocations without transferring tokens.
function allocateFunds(
address recipient,
uint256 amount
) external override onlyRole(ALLOCATOR_ROLE) {
if (recipient == address(0)) revert InvalidRecipient();
if (amount == 0) revert InvalidAmount();
_allocations[msg.sender][recipient] = amount;
emit FundsAllocated(recipient, amount);
}
However, the withdraw function does not consider the recipient allocation.
function withdraw(
address token,
uint256 amount,
address recipient
) external override nonReentrant onlyRole(MANAGER_ROLE) {
if (token == address(0)) revert InvalidAddress();
if (recipient == address(0)) revert InvalidRecipient();
if (_balances[token] < amount) revert InsufficientBalance();
_balances[token] -= amount;//@audit recipient allocation not considered.
_totalValue -= amount;
IERC20(token).transfer(recipient, amount);
emit Withdrawn(token, amount, recipient);
}
Impact
As a result, the tokens received by the recipient is not guaranteed to be the same as the amount allocated, adding extra duties for the manager.
Tools Used
Manual Review
Recommendations
Account for the allocations made before transferring the tokens.
Updates
Lead Judging Commences
inallhonesty 7 months ago
Submission Judgement Published Assigned finding tags:
What do people do with allocations
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420
USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.