Untracked Token Transfers from FeeCollector to Treasury Result in Stuck Funds
Summary
The FeeCollector contract transfers raacToken to the Treasury contract using safeTransfer, but the Treasury contract does not automatically update its _balances and _totalValue state variables. This results in a mismatch between the actual token balance in the contract and the recorded balance, preventing the withdrawal of these funds.
Vulnerability Details
The FeeCollector contract executes:
This transfers raacToken to the Treasury contract without calling its deposit function.
Since
depositis the only function that updates_balances[token]and_totalValue, the transferred funds are not reflected in the state variables.The
withdrawfunction inTreasuryonly allows withdrawals up to_balances[token]. Thus, any tokens sent directly fromFeeCollector(or any other contract) remain inaccessible.
Impact
Permanent fund lock: Any raacToken transferred from FeeCollector to Treasury is effectively stuck and cannot be withdrawn.
Tools Used
Manual code review
Recommendations
Modify withdraw to consider the actual token balance instead of relying solely on _balances[token]
Lead Judging Commences
FeeCollector::_processDistributions and emergencyWithdraw directly transfer funds to Treasury where they get permanently stuck
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.