Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Missing Token Specification in Fund Allocation May Cause Tracking Errors and Misallocations

victortheoracle

Summary

The allocateFunds function in the Treasury contract does not include a token parameter, which is problematic given that the treasury supports multiple ERC20 tokens. This omission means there is no clear indication of which token is being allocated to a recipient, leading to potential confusion in tracking and later fund distribution.

Vulnerability Details

In the current implementation, the allocation mechanism is defined as follows:

https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/core/collectors/Treasury.sol#L87-L96

function allocateFunds(
address recipient,
uint256 amount
) external override onlyRole(ALLOCATOR_ROLE) {
if (recipient == address(0)) revert InvalidRecipient();
if (amount == 0) revert InvalidAmount();
_allocations[msg.sender][recipient] = amount;
emit FundsAllocated(recipient, amount);
}

Notice that the function accepts only a recipient and an amount, with no parameter for specifying which ERC20 token is being allocated. Since the treasury is designed to handle multiple tokens, this creates ambiguity.

The _allocations mapping only records allocations keyed by the allocator and recipient, leaving it unclear whether the allocation pertains to a specific token or is intended to represent a general fund allocation. This lack of clarity can lead to mismanagement when attempting to correlate allocations with actual token balances.

Impact

This design flaw can lead to significant operational confusion. Without explicit token information, it becomes challenging to determine which token's balance is being allocated. This ambiguity may cause errors in fund distribution, resulting in potential misallocation of funds or disputes over allocation records. While it does not directly put funds at risk, it undermines the treasury's transparency and can lead to governance and management issues, particularly in environments where accurate tracking of multiple tokens is critical.

Tools Used

  • Manual code review

Recommendations

Modify the allocateFunds function to include a token address parameter. This ensures that each allocation is explicitly tied to a specific ERC20 token.

function allocateFunds(
address token,
address recipient,
uint256 amount
) external override onlyRole(ALLOCATOR_ROLE) {
if (token == address(0)) revert InvalidAddress();
if (recipient == address(0)) revert InvalidRecipient();
if (amount == 0) revert InvalidAmount();
_allocations[msg.sender][token][recipient] = amount;
emit FundsAllocated(token, recipient, amount);
}

Then update the _allocations mapping to reflect token-specific allocations:

mapping(address => mapping(address => mapping(address => uint256))) private _allocations;
Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Treasury::allocateFunds doesn't say what token you are actually allocating, doesn't check balances, or existing allocations to other recipients

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!