Core Contracts

Summary

The current allocation mechanism records fund allocations without verifying that the treasury holds a sufficient balance of the specific token. As a result, an allocator could designate an allocation for a recipient even when the corresponding token balance in the treasury is insufficient. This can lead to situations where recorded allocations do not reflect actual available funds, thereby misguiding stakeholders and affecting operational decisions.

Vulnerability Details

https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/core/collectors/Treasury.sol#L87-L96

In the allocateFunds function, any user with the ALLOCATOR_ROLE can record an allocation by simply providing a recipient address and an amount. The function does not verify that the treasury’s balance for the token is sufficient to support the allocation. For instance, the function blindly sets the allocation value without cross-checking against the treasury’s recorded balance, which means that even if the treasury does not actually possess the allocated funds, the allocation is still recorded and emitted. This creates a discrepancy between the recorded allocations and the real token balance held by the treasury, potentially leading to confusion and operational inefficiencies when funds are later expected to be available for withdrawal or distribution.

Impact

The lack of token balance verification in the allocation process could lead to misleading fund tracking, causing recipients and governance mechanisms to believe that funds are available when they are not.

Tools Used

• Manual Code Review

Recommendations

To address this issue, it is recommended to implement a balance verification check within the allocation function. Before recording an allocation, the contract should verify that the treasury’s balance for the relevant token is at least equal to the intended allocation amount.