Core Contracts

Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Submission Details
Severity: medium
Valid

Inaccurate Total Value Calculation in `Treasury` contract due to Token Value Normalization Issues

Summary

The Treasury contract's _totalValue calculation is fundamentally flawed as it treats all tokens as having equal value and decimal places, leading to incorrect TVL reporting.

Vulnerability Details

The current implementation has several critical issues in how it tracks the total value.

Different ERC20 tokens can have different decimal places. For example:

  • USDC uses 6 decimals (1 USDC = 1000000)

  • crvUSD uses 18 decimals (1 crvUSD = 1000000000000000000)

  • WETH uses 18 decimals (1 WETH = 1000000000000000000)

The current implementation simply adds raw token amounts, example when depositing.

function deposit(address token, uint256 amount) external override nonReentrant {
// ...
_totalValue += amount; // @audit Direct addition without normalization
}

also in withdraws;

function withdraw(...) {
// @audit assumes all tokens have the same decimals and value
_totalValue -= amount;

The contract assumes all tokens have equal value, which is incorrect.

The contract lacks price feed integration to convert token amounts to a common denomination (like USD), which is necessary for meaningful TVL calculation.

PoC

Here am using just WETH and USDC as an example for simplicty, but I understand the protocol uses tokens such as RAACToken, crvUSD, RTokens, DETokens and so on.

  1. Alice deposits 1 WETH (1e18 wei, worth $2000)

    • _totalValue increases by 1e18

  2. Bob deposits 2000 USDC (2000 * 1e6 wei, worth $2000)

    • _totalValue increases by 2000 * 1e6

  3. Result: _totalValue = 1e18 + 2e9

    • Despite both deposits having equal USD value, they contribute vastly different amounts to _totalValue

    • The final _totalValue is meaningless as it mixes different decimal places and values

Impact

  • Severely inaccurate reporting of total value locked (TVL)

  • Potential mismanagement of funds due to incorrect value tracking

  • Unreliable protocol metrics for stakeholders

Tools Used

Manual code review

Recommendations

Implement a price-aware and decimal-aware TVL tracking.

Updates

Lead Judging Commences

inallhonesty Lead Judge 3 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Treasury::deposit increments _totalValue regardless of the token, be it malicious, different decimals, FoT etc.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.