The total value across all tokens is stored incorrectly
Summary
The total value across all tokens is stored incorrectly in the Treasury contract.
Vulnerability Details
When deposits are made to the Treasury address, the storage variable _totalValue is incremented by the amount of tokens transferred. The Treasury contract is expected to support multiple ERC20 tokens. These tokens can have different decimals, making _totalValue inaccurate for storing the total value across all tokens.
Additionally, a malicious user can create a malicious ERC20 contract to make a deposit where amount = type(uint256).max, causing _totalValue to reach its maximum value. This will result in every new deposit being reverted, as _totalValue += amount will overflow every time.
Impact
The total value across all tokens is stored incorrectly, which can lead to the Treasury's deposit function being blocked.
Tools Used
Mannual Review
Recommendations
Allow only approved tokens to be deposited in the Treasury contract and store the total value separately for each token using mapping(address => uint256) private tokenTotalValue;.
Lead Judging Commences
Treasury::deposit increments _totalValue regardless of the token, be it malicious, different decimals, FoT etc.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.