Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Improper ERC20 Transfer Handling in `Treasury.deposit` Leads to Incorrect Accounting and Fund Risks

elvin_a_block

Summary

A critical vulnerability exists in Treasury.deposit function due to missing validation of ERC20 transfer success. This issue allows failed token transfers to corrupt protocol accounting by improperly updating balance states. The flaw enables false deposit records, protocol insolvency risks, and griefing attacks through non-compliant ERC20 tokens. Immediate remediation requires adding return value checks and implementing OpenZeppelin's SafeERC20 library for secure token transfers.

Vulnerability Details

The Treasury contract contains a critical vulnerability in its deposit mechanism due to improper handling of ERC20 token transfers. The Treasury.deposit function at Treasury.sol#L50 fails to properly validate the success of the ERC20 transferFrom operation, creating a mismatch between actual token balances and contract accounting.

Key issues:

  1. Missing Return Value Check: The implementation assumes successful token transfers without verifying the boolean return value from transferFrom, violating ERC20 specification requirements

  2. State Corruption Risk: Failed transfers could still trigger balance state updates (_balances and _totalValue), creating false accounting records

  3. Protocol Incompatibility: Fails to support ERC20 tokens that return false on failed transfers rather than reverting, including several widely-used legitimate tokens

contract Treasury is ITreasury, AccessControl, ReentrancyGuard {
function deposit(address token, uint256 amount) external override nonReentrant {
if (token == address(0)) revert InvalidAddress();
if (amount == 0) revert InvalidAmount();
@> IERC20(token).transferFrom(msg.sender, address(this), amount);
_balances[token] += amount;
_totalValue += amount;
emit Deposited(token, amount);
}
}

Impact

This vulnerability poses significant risks to protocol integrity and user funds:

Direct Consequences:

  • Fund Accounting Corruption: Creates discrepancies between actual token balances and recorded deposits

  • Protocol Insolvency Risk: Treasury may report inflated asset holdings leading to unsustainable withdrawals

  • Griefing Attacks: Malicious actors could spam failed deposits to bloat protocol accounting

Financial Impact:

  • Enables direct theft of protocol credibility if exploited

  • Could facilitate secondary attacks through corrupted state data

Attack Scenarios:

  1. Attacker deposits using non-reverting ERC20 token that returns false on failed transfers

  2. Protocol records deposit without actual token transfer

  3. Attacker claims services/withdrawals based on fake deposit records

The vulnerability fundamentally undermines the treasury's primary purpose of accurate value tracking, making this a critical threat to protocol stability.

Tools Used

Manual Review

Recommendations

Add return value check and custom error in function Treasury.deposit:

bool success = IERC20(token).transferFrom(msg.sender, address(this), amount);
if (!success) revert DepositTokenTransferFailed();
Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Known issue
Assigned finding tags:

[INVALID] SafeERC20 not used

LightChaser Low-60

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.