Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Malicious Deposits of Worthless Tokens Can Artificially Inflate Treasury Value

victortheoracle

Summary

The treasury contract currently accepts deposits of any ERC20 token without verifying its market legitimacy. This opens the possibility for malicious actors to deposit tokens that have no market value, thereby artificially inflating the treasury's internal _totalValue. Such misrepresentations could mislead governance, reward distribution, and fund allocation decisions. Implementing a token whitelisting mechanism is an effective mitigation strategy to ensure that only vetted, value-bearing tokens are accepted into the treasury.

Vulnerability Details

In the current implementation of the treasury contract, the deposit function accepts any ERC20 token address without checking whether the token is recognized or holds intrinsic market value.

https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/core/collectors/Treasury.sol#L46-L55

function deposit(address token, uint256 amount) external override nonReentrant {
if (token == address(0)) revert InvalidAddress();
if (amount == 0) revert InvalidAmount();
IERC20(token).transferFrom(msg.sender, address(this), amount);
_balances[token] += amount;
_totalValue += amount;
emit Deposited(token, amount);
}

For example, when a user deposits tokens, there is no mechanism to differentiate between tokens of genuine value and those that might be worthless or manipulated. As a result, a malicious user could deposit tokens with no market value, causing the _totalValue to be inaccurately high, even though the treasury does not actually hold valuable assets. This discrepancy can lead to poor decision-making in downstream processes like fund allocation or governance actions that rely on the treasury's reported value.

Impact

Allowing deposits of valueless tokens can indirectly disrupt the protocol by skewing the treasury's reported total value. Governance modules, reward systems, or fund allocation mechanisms that depend on an accurate assessment of the treasury's assets may make flawed decisions, potentially diverting resources or approving inappropriate withdrawals.

Tools Used

  • Manual code review

Recommendations

Implement a token whitelisting mechanism. This involves maintaining a list of approved token addresses that are deemed legitimate and have verifiable market value. The deposit function should then include a check against this whitelist before accepting a deposit. For example, the updated deposit function might look like this:

function deposit(address token, uint256 amount) external override nonReentrant {
if (token == address(0)) revert InvalidAddress();
if (amount == 0) revert InvalidAmount();
require(whitelistedTokens[token], "Token not whitelisted");
IERC20(token).safeTransferFrom(msg.sender, address(this), amount);
_balances[token] += amount;
_totalValue += amount;
emit Deposited(token, amount);
}

This would be the mapping:

mapping(address => bool) public whitelistedTokens;

Finally, add some functions to update the whitelistedTokens mapping:

function whitelistToken(address token) external onlyRole(DEFAULT_ADMIN_ROLE) {
require(token != address(0), "Invalid token address");
whitelistedTokens[token] = true;
emit TokenWhitelisted(token);
}
function removeTokenFromWhitelist(address token) external onlyRole(DEFAULT_ADMIN_ROLE) {
require(whitelistedTokens[token], "Token not whitelisted");
whitelistedTokens[token] = false;
emit TokenRemovedFromWhitelist(token);
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Treasury::deposit increments _totalValue regardless of the token, be it malicious, different decimals, FoT etc.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!