Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Denial of Service in Treasury Deposits

0xgee001

Summary:

The Treasury.sol contract deposit() function adds token amounts directly to _totalValue without any price consideration, allowing malicious users to artificially inflate the total value using worthless tokens, potentially leading to DOS conditions through arithmetic overflow.

Vulnerability Details:

In the deposit() function, the contract tracks the total value across all tokens by simply adding raw token amounts:

function deposit(address token, uint256 amount) external override nonReentrant {
// ... input validation ...
IERC20(token).transferFrom(msg.sender, address(this), amount);
_balances[token] += amount;
_totalValue += amount; // Vulnerable line
emit Deposited(token, amount);
}

The issue lies in treating all token amounts as equivalent when updating _totalValue. A malicious user can:

  1. Deploy a new worthless ERC20 token with a large supply

  2. Deposit this token to the Treasury

  3. Cause _totalValue to approach or reach uint256.max

Impact:

  • DOS on legitimate deposits due to arithmetic overflow when updating _totalValue

  • Incorrect total value reporting that could mislead protocol decisions

  • Potential impact on any protocol mechanisms that rely on _totalValue for calculations

Tools Used:

Manual code review

Recommendations:

Several approaches could mitigate this issue:

  1. Implement a whitelist of accepted tokens.

  2. Implement price oracle integration to track actual USD value.

Updates

Lead Judging Commences

inallhonesty Lead Judge 3 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Treasury::deposit increments _totalValue regardless of the token, be it malicious, different decimals, FoT etc.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.