Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

No function to withdraw `RAAC` tokens from treasury

dentonylifer

Summary

There is no function to withdraw RAAC tokens from treasury.

Vulnerability Details

Link

FeeCollector directly sends part of collected RAAC tokens to treasury:

if (shares[3] > 0) raacToken.safeTransfer(treasury, shares[3]);

The problem is the treasury has no function to withdraw token, that are directly sent to it's balance:

function withdraw(
address token,
uint256 amount,
address recipient
) external override nonReentrant onlyRole(MANAGER_ROLE) {
if (token == address(0)) revert InvalidAddress();
if (recipient == address(0)) revert InvalidRecipient();
if (_balances[token] < amount) revert InsufficientBalance();
_balances[token] -= amount;
_totalValue -= amount;
IERC20(token).transfer(recipient, amount);
emit Withdrawn(token, amount, recipient);
}

This function can withdraw only _balances[token] amount - meaning only tokens sent using deposit() can be withdrawn. If manager tries to withdraw whole contract's balance, the function will revert, because not all tokens was accounted in _balances[token] (raacToken.balanceOf(address(this)) will always be > _balances[token]).

Impact

RAAC tokens sent to treasury from FeeCollector will be stuck forever.

Tools Used

Manual review.

Recommendations

Recommended to sent RAAC tokens to treasury using Treasury.deposit().

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

FeeCollector::_processDistributions and emergencyWithdraw directly transfer funds to Treasury where they get permanently stuck

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!