Unreliable Total Value Tracking in Treasury
Summary
The Treasury contract implements a flawed total value tracking mechanism that combines different token amounts without considering their decimals or relative values, leading to meaningless and potentially misleading total value calculations.
Vulnerability Details
The contract maintains a _totalValue state variable that's updated during deposits and withdrawals:
The implementation has several critical flaws:
Combines token amounts with different decimal places (e.g., USDC with 6 decimals and ETH with 18 decimals)
Ignores token price differences and volatility
No clear representation of what the total value signifies (USD, ETH, or raw sum)
No mechanism to handle price changes over time
Impact
Incorrect total value reporting leading to potential mismanagement of funds
Misleading protocol metrics
Potential economic vulnerabilities if other systems rely on the total value calculation
Risk of overflow when combining large amounts with different decimal scales
Tools Used
Manual code review
Recommendations
Either whitelist specific tokens
Or normalize all values to a standard decimal (like 18)
Use price oracles for value calculation
Track total value per token separately
Lead Judging Commences
Treasury::deposit increments _totalValue regardless of the token, be it malicious, different decimals, FoT etc.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.