Unrecoverable tokens sent via direct transfer to the Treasury contract.
Summary
Unrecoverable tokens sent via direct transfer to the Treasury contract.
Vulnerability Details
The Treasury contract's withdraw function relies on the _balances mapping to track token holdings. Direct transfers to the contract address (using transfer or send) bypass the deposit function and do not update _balances , ( Importantly , feecollector sends funds to tresury by dirrect transfer ) . Consequently, there is no mechanism within the contract to withdraw or manage these directly transferred tokens, leading to them being stuck in the contract.
Problematic Code Snippet:
The _balances mapping is only updated in the deposit function. Direct transfers do not trigger this update, leading to discrepancies between actual contract balance and tracked balance.
Impact
Loss of Funds: Tokens sent directly to the Treasury contract become inaccessible through normal contract functions.
Stuck Assets: Untracked tokens are effectively locked in the contract.
All of the fees sent by fee collector will be stuck in the contract forever !
Tools Used
Manual code review.
Recommendations
Implement a recovery mechanism within the Treasury contract to handle tokens received via direct transfer. Consider adding a function, callable by a Manager role, that allows withdrawing tokens from the contract based on the actual contract balance, independent of the _balances mapping. This function could iterate through the contract's token balances and allow withdrawal of any discrepancies found.
Lead Judging Commences
FeeCollector::_processDistributions and emergencyWithdraw directly transfer funds to Treasury where they get permanently stuck
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.