Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Denial of Service in Treasury Deposits

0xgee001

Summary:

The Treasury.sol contract deposit() function adds token amounts directly to _totalValue without any price consideration, allowing malicious users to artificially inflate the total value using worthless tokens, potentially leading to DOS conditions through arithmetic overflow.

Vulnerability Details:

In the deposit() function, the contract tracks the total value across all tokens by simply adding raw token amounts:

function deposit(address token, uint256 amount) external override nonReentrant {
// ... input validation ...
IERC20(token).transferFrom(msg.sender, address(this), amount);
_balances[token] += amount;
_totalValue += amount; // Vulnerable line
emit Deposited(token, amount);
}

The issue lies in treating all token amounts as equivalent when updating _totalValue. A malicious user can:

  1. Deploy a new worthless ERC20 token with a large supply

  2. Deposit this token to the Treasury

  3. Cause _totalValue to approach or reach uint256.max

Impact:

  • DOS on legitimate deposits due to arithmetic overflow when updating _totalValue

  • Incorrect total value reporting that could mislead protocol decisions

  • Potential impact on any protocol mechanisms that rely on _totalValue for calculations

Tools Used:

Manual code review

Recommendations:

Several approaches could mitigate this issue:

  1. Implement a whitelist of accepted tokens.

  2. Implement price oracle integration to track actual USD value.

Updates

Lead Judging Commences

inallhonesty Lead Judge 10 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Treasury::deposit increments _totalValue regardless of the token, be it malicious, different decimals, FoT etc.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!