Submission Details
Severity:
Potential token transfer issue in Treasury contract's withdraw() function
Summary
Potential token transfer issue in Treasury contract's withdraw() function using .transfer()
Vulnerability Details
The withdraw function in Treasury.sol uses .transfer() method with fixed 2300 gas
-
Lacks SafeERC20 transfer mechanism
However, using .transfer() enforces a 2300 gas which will not work for addresses that consume a large amount of gas upon receiving tokens.
```solidityfunction withdraw(address token,uint256 amount,address recipient) external override nonReentrant onlyRole(MANAGER_ROLE) {if (token == address(0)) revert InvalidAddress();if (recipient == address(0)) revert InvalidRecipient();if (_balances[token] < amount) revert InsufficientBalance();_balances[token] -= amount;_totalValue -= amount;IERC20(token).transfer(recipient, amount);emit Withdrawn(token, amount, recipient);}
```
Impact
Low/Med risk: Possible token transfer interruptions
Transactions if failed, may cause a lock of funds or unexpectedly revert.
Compromises fund withdrawal reliability
Tools Used
Manual code review
Recommendations
Replace .transfer() with safeTransfer()
Import and use OpenZeppelin's
SafeERC20library for safer implementation
Updates
Lead Judging Commences
inallhonesty 7 months ago
Submission Judgement Published Reason: Known issue
Assigned finding tags:
[INVALID] SafeERC20 not used
LightChaser Low-60
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420
USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.