Missing Check for Maximum Amount or Insufficient Balance in `Treasury::allocateFunds` function
Summary
The allocateFunds function lacks a validation check to ensure that the allocated amount does not exceed a predefined maximum limit or the allocator’s available balance. This could allow allocations of unrealistically high amounts, potentially leading to accounting inconsistencies, misallocation of funds, or denial-of-service scenarios.
`
Vulnerability Details
The vulnerability lies in the following part of the allocateFunds function:
The function does not enforce a maximum limit on the amount that can be allocated. This could allow an allocator to allocate an excessively large amount, potentially disrupting the protocol's accounting or leading to unintended behavior.
The function does not verify whether the allocator has sufficient balance or authority to allocate the specified amount.
Impact
Allocating excessive amounts or exceeding available balances could disrupt the protocol's accounting and allocation mechanisms.
Misallocated funds might not be recoverable or could cause unexpected failures when attempting disbursement
Tools Used
Manual Code Review
Recommendations
Define a MAX_ALLOCATION limit and ensure that amount does not exceed it.
If allocations are tied to actual balances, check that
msg.senderhas sufficient balance before allocation.
Lead Judging Commences
Treasury::allocateFunds doesn't say what token you are actually allocating, doesn't check balances, or existing allocations to other recipients
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.