Submission Details
Severity:
Non transfereable tokens can damage the contract
Summary
a malicious user can send a non transfereable token to the contract that reverts whenever the admin tries to clean the contract's stats.
Vulnerability Details
this non transfereable token will prevent _totalValue from ever being updated and cleaned
https://github.com/Cyfrin/2025-02-raac/blob/main/contracts/core/collectors/Treasury.sol#L57-L78
/**
* @notice Withdraws tokens from the treasury
* @dev Only callable by accounts with MANAGER_ROLE
* @param token Address of token to withdraw
* @param amount Amount of tokens to withdraw
* @param recipient Address to receive the tokens
*/
function withdraw(
address token,
uint256 amount,
address recipient
) external override nonReentrant onlyRole(MANAGER_ROLE) {
if (token == address(0)) revert InvalidAddress();
if (recipient == address(0)) revert InvalidRecipient();
if (_balances[token] < amount) revert InsufficientBalance();
_balances[token] -= amount;
_totalValue -= amount;
IERC20(token).transfer(recipient, amount);
emit Withdrawn(token, amount, recipient);
}
Impact
non transfereable tokens messes the contract up since it can't be removed after sent the first time if correctly programmed.
Tools Used
manual
Recommendations
fix the issues alreadey stated
Updates
Lead Judging Commences
inallhonesty 4 months ago
Submission Judgement Published Assigned finding tags:
Treasury::deposit increments _totalValue regardless of the token, be it malicious, different decimals, FoT etc.
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420 USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.