Submission Details
Severity:
Missing token whitelist in `deposit()` function enables DOS attack
Summary
The deposit() function in Treasury contract accepts any ERC20 token without validation, allowing attackers to overflow _totalValue with malicious tokens.
Vulnerability Details
The deposit() function lacks token validation:
function deposit(address token, uint256 amount) external override nonReentrant {
if (token == address(0)) revert InvalidAddress();
if (amount == 0) revert InvalidAmount();
IERC20(token).transferFrom(msg.sender, address(this), amount);
_balances[token] += amount;
_totalValue += amount;
emit Deposited(token, amount);
}
If an attacker sends a malicious token of around type(uint256).max, the _totalValue variable can overflow, preventing legitimate users from depositing tokens.
Impact
Attackers can prevent legitimate users from depositing tokens by causing an overflow in the _totalValue variable.
Recommendations
Implement a whitelist mechanism to restrict deposits to only approved ERC20 tokens.
Updates
Lead Judging Commences
inallhonesty 7 months ago
Submission Judgement Published Assigned finding tags:
Treasury::deposit increments _totalValue regardless of the token, be it malicious, different decimals, FoT etc.
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420
USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.