Attacker is able to DoS the Treasury.sol
Summary
Attacker is able to DoS the Treasury.sol using transfering from a malicious token
Vulnerability Details
The deposit function in Treasury.sol allows any user to call it with arbitrary inputs for token and amount:
The issue arises if an attacker deploys a malicious token contract and calls deposit with type(uint256).max. This would cause _totalValue to reach type(uint256).max, leading to an overflow. As a result, all subsequent calls to deposit would fail due to arithmetic overflow.
Attacker can also DoS the withdraw by causing a revert on the transfer call, preventing the MANAGER_ROLE from decreasing _totalValue via withdraw.
Note: A similar issue was identified in the Lightchaser report, where allowing
type(uint256).maxas an amount caused problems with tokens likecUSDCv3. However, simply preventing users from passingtype(uint256).maxis insufficient to prevent the vulnerability described in this report, as an attacker could reachtype(uint256).maxthrough multiple deposits.
Impact
Treasury.sol can be completely DoSed.
Tools Used
Manual Review
Recommendations
Consider implementing one of the following mitigations:
Restrict access to
depositto authorized roles only.Implement a whitelist for accepted tokens.
Lead Judging Commences
Treasury::deposit increments _totalValue regardless of the token, be it malicious, different decimals, FoT etc.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.