Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Deposits to the treasury can be blocked by an attacker.

kupiasec

Title

Deposits to the treasury can be blocked by an attacker.

Summary

The state variable _totalValue of Treasury.sol represents the total amount of all kind of tokens deposited into the treasury. In addition, there is no whitelisting mechanism for deposited tokens. As a result, an attacker can block all legitimate depositing by depositing type(uint256).max amount of a self-made token.

Vulnerability Details

The state variable _totalValue of Treasury.sol represents the total amount of all kind of tokens deposited into the treasury.
https://github.com/Cyfrin/2025-02-raac/blob/main/contracts/core/collectors/Treasury.sol#L46-L55

function deposit(address token, uint256 amount) external override nonReentrant {
if (token == address(0)) revert InvalidAddress();
if (amount == 0) revert InvalidAmount();
IERC20(token).transferFrom(msg.sender, address(this), amount);
_balances[token] += amount;
@> _totalValue += amount;
emit Deposited(token, amount);
}

In addition, there is no whitelisting mechanism for deposited tokens. As a result, if an attacker deposits type(uint256).max - _totalValue amount of a self-made ERC20 token, _totalValue will become type(uint256).max.
Then, all subsequent depositing will be blocked due to overflow.

Impact

All legitimate depositing can be blocked.

Recommendations

_totalValue should be removed.

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Treasury::deposit increments _totalValue regardless of the token, be it malicious, different decimals, FoT etc.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!