Core Contracts

Summary

_totalValue tracks individual tokens deposited not the value of the tokens deposited.

Vulnerability Details

The Treasury contract is designed to manage protocol funds with role-based access control, supporting multiple tokens and tracking their balances. It includes functions for depositing, withdrawing, and allocating funds, with roles defined for managers and allocators. The contract maintains a _balances mapping to track the balance of each token and a _totalValue variable to represent the total value across all tokens.

The issue arises from the _totalValue variable, which is updated whenever tokens are deposited or withdrawn. This approach assumes a common base currency for valuation, which is not feasible when dealing with multiple tokens like ETH and USDC. Without a unified valuation metric, _totalValue becomes redundant and potentially misleading, as it simply aggregates token amounts without considering their actual value in a common currency.

The highest impact scenario occurs when _totalValue is used to make decisions or calculations that assume a consistent valuation across different tokens. This could lead to incorrect assessments of the treasury's total value, affecting financial decisions and potentially leading to mismanagement of funds.

Impact

The redundant tracking of _totalValue can lead to misleading representations of the treasury's total value, affecting financial decisions and potentially leading to mismanagement of funds. This is particularly problematic in a multi-token environment where token values can vary significantly.

Tools Used

Manual Review

Recommendations

Remove the _totalValue variable and rely solely on the _balances mapping to track individual token balances. This will prevent misleading representations of total value and ensure that each token's balance is accurately tracked without assuming a common valuation metric.