Summary

The Treasury.sol contract does not update its _totalValue variable when receiving direct transfers from FeeCollector.sol. This results in an incorrect representation of treasury holdings, potentially leading to misinformed financial decisions and governance actions.

Vulnerability Details

Issue: _totalValue Fails to Reflect Direct Transfers

The _totalValue variable in Treasury.sol is only updated when deposits occur through the deposit() function. However, funds transferred directly from FeeCollector.sol are not accounted for, creating a discrepancy between actual token balances and the reported total value.

Example of the Issue:

1. FeeCollector.sol transfers tokens directly to Treasury.sol.

2. The treasury contract’s balance increases, but _totalValue remains unchanged.

3. Calls to getTotalValue() return a lower-than-actual treasury value, leading to inaccurate reporting.

Impact

• Incorrect Treasury Valuation: On-chain data consumers receive misleading information regarding available funds.

• Risk of Fund Mismanagement: Treasury allocations and withdrawals may be executed based on inaccurate balance data.

Tools Used

• Manual Code Review

Recommendations

1. Update _totalValue Whenever Funds Are Received: Implement a mechanism to detect and account for incoming transfers outside deposit().

   • Possible solutions include tracking ERC20 transfers to the contract or using an event-triggered balance sync.

2. Modify getTotalValue() to Reflect Real-Time Balances:

   function getTotalValue() public view override returns (uint256) {

   return address(this).balance; // or sum balances of all tracked ERC20 tokens

   }

   ​