Any user can deposit tokens inside the `Treasury` contract
Summary
Inside the Treasury contract, any user can deposit any token. This creates 2 issues - _totalValue is the same for all tokens, which have different decimals and therefore get mixed up, and any user can brick the contract via a single transaction (Creating their own token, which does not transfer any tokens, therefore increasing the variable preventing further deposits).
Vulnerability Details
A malicious user can create their very own token and try to transfer a value close to type(uint256).max in order to brick the contract. This can be done by creating a token, which has a transferFrom(...) that always returns false. Also in order to prevent "withdrawing", we can make sure the transfer(...) always reverts. The issue is also different from the known issue about cUSDC, since the amount parameter can be different (and most likely it will be) than type(uint256).max.
For example, let's say we are the first depositor. If we try to transfer type(uint256).max - 1, the transferFrom(...) will execute without reverting and _totalValue will get increased to the max, making the contract useless, since no more tokens can be deposited or withdrawn. If amount is equal to type(uint256).max - 1, it will also bypass the check for amount != type(uint256).max for the known issue.
Impact
The contract will have incorrect _totalValue and can be easily bricked creating DoS
Tools Used
Manual review
Recommendations
Do not allow any token to be deposited and change the accounting mechanism
Lead Judging Commences
Treasury::deposit increments _totalValue regardless of the token, be it malicious, different decimals, FoT etc.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.