Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

Incorrect `_totalValue` Calculation Can Lead to Misreported Treasury Holdings

victortheoracle

Summary

The _totalValue variable is intended to track the total value of assets held by the treasury. However, the contract simply increases or decreases this value whenever a deposit or withdrawal occurs, without distinguishing between different token types. Since the contract supports multiple ERC20 tokens, this approach is fundamentally flawed because it does not account for token price differences or decimals. The _totalValue could become a meaningless or misleading figure, which can result in incorrect allocations, withdrawals, or governance decisions.

Vulnerability Details

The contract updates _totalValue in the deposit and withdraw functions as follows:

Deposit:

https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/core/collectors/Treasury.sol#L52

_totalValue += amount;

Withdraw:

https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/core/collectors/Treasury.sol#L74

_totalValue -= amount;

The _totalValue variable is meant to track the total value of assets in the treasury, but it is updated incorrectly by simply adding or subtracting token amounts without considering differences in token decimals or market value. Since the treasury supports multiple ERC20 tokens, this approach leads to a distorted _totalValue, as it treats all tokens as having the same unit of value.

For example, depositing 1 USDT (6 decimals) and 1 WETH (18 decimals) will both increase _totalValue by 1, even though their actual values differ significantly.

Additionally, withdrawals decrease _totalValue without checking if the token being withdrawn has a different decimal structure or market price. This incorrect tracking can mislead governance decisions, fund allocations, and withdrawals, potentially causing financial mismanagement.

Impact

Misreporting _totalValue could lead to severe financial mismanagement, as governance may allocate funds based on an inaccurate treasury value.

Tools Used

Manual code review

Recommendations

To ensure _totalValue accurately represents the real value of the treasury, it should not be a simple sum of token balances. Instead, it should be calculated dynamically using an oracle-based pricing system that accounts for token prices, token decimals, and dynamic _totalValue recalculation.

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Treasury::deposit increments _totalValue regardless of the token, be it malicious, different decimals, FoT etc.

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!