Core Contracts

Summary

The lack of token tracking in the withdraw function is a high severity issue that can lead to potential loss of funds, confusion, and security vulnerabilities. Implementing proper token tracking and ensuring the allocation and withdrawal logic specify which token is being handled are essential to address this issue and enhance the security and reliability of the contract. Conducting a thorough audit and testing of the contract is also recommended to ensure the logic is correctly implemented and secure.

Vulnerability Details

The withdraw function in the Treasury contract does not properly track which tokens were deposited by each user. This can lead to confusion and potential loss of funds when users attempt to withdraw their deposits. The allocator can allocate funds to users without specifying which token is being allocated, resulting in incorrect allocations. Additionally, the manager can withdraw any token amount independent of what a user initially deposited, leading to users receiving the wrong token or an incorrect amount.

Impact

• Loss of Funds: Users may lose their deposited funds if the allocator or manager allocates or withdraws the wrong token or amount.

• Confusion: Users may be confused about which tokens they have deposited and which tokens they are withdrawing.

• Security Vulnerability: The lack of token tracking can be exploited by malicious users or managers, leading to potential security vulnerabilities.

Tools Used

Recommendations

1. Token Tracking: Implement a mapping to track which tokens were deposited by each user. This can be done using a nested mapping to store the deposited amounts for each user and token.

2. Allocation Logic: Ensure that the allocation logic specifies which token is being allocated to users.

3. Withdrawal Logic: Ensure that the withdrawal logic checks the user's deposited tokens and amounts before allowing a withdrawal.