Summary

The Treasury.sol contract fails to update its _totalValue variable when it receives direct transfers from FeeCollector.sol. This results in an inaccurate reflection of the treasury's holdings, which can lead to incorrect financial decisions and governance actions.

Vulnerability Details

Issue: _totalValue Not Reflecting Direct Transfers

In the Treasury.sol contract, the _totalValue variable is only updated when funds are deposited through the deposit() function. However, when tokens are transferred directly from FeeCollector.sol, the _totalValue is not updated, creating a mismatch between the actual token balances and the reported total value.

Example of the Issue:

1. FeeCollector.sol transfers tokens directly to Treasury.solwhen transferrinf RAAC tokens of treasury calculated shares.

2. The treasury's balance increases, but the _totalValue variable remains unchanged.

3. Calls to getTotalValue() return a value lower than the actual treasury balance, resulting in inaccurate reporting.

Impact

• Incorrect Treasury Valuation: On-chain consumers may receive misleading information regarding the actual available funds in the treasury.

Tools Used

• Manual Code Review

Recommendations

1. Update _totalValue Whenever Funds Are Received:
   Implement a mechanism to ensure the _totalValue is updated whenever the treasury receives funds, including those transferred directly from FeeCollector.sol.

   • Possible solutions:

     • Track ERC20 transfers to the contract.

     • Use event-based triggers to sync balances when funds are transferred.

2. Modify getTotalValue() to Reflect Real-Time Balances:

   function getTotalValue() public view override returns (uint256) {

   return address(this).balance; // or sum balances of all tracked ERC20 tokens

   }