Core Contracts

Summary

The lack of token specification in the allocateFunds function is a high severity issue that can lead to potential token mismatch, allocation ambiguity, and withdrawal issues. Implementing token specification, state tracking, and conducting thorough audits and testing are essential to address this issue and enhance the security and reliability of the contract.

Vulnerability Details

The allocateFunds function in the Treasury contract does not specify which token is being allocated to the user. This can lead to a scenario where a user who deposited a specific token (e.g., USDC) may receive a different token (e.g., ETH) during withdrawal. The allocator can allocate funds without specifying the token, leading to ambiguity and potential misuse of funds. During withdrawal, the manager may withdraw a different token than what the user initially deposited, leading to potential financial loss and confusion.

Impact

• Token Mismatch: Users may receive a different token than what they initially deposited, leading to potential financial loss and confusion.

• Allocation Ambiguity: Lack of token specification can lead to ambiguity and potential misuse of funds.

• Withdrawal Issues: Managers may withdraw a different token than what the user initially deposited, leading to potential financial loss and confusion.

Tools Used

manual review

Recommendations

1. Token Specification: Ensure that the allocateFunds function specifies the token being allocated to the user. This can be done by adding a token parameter to the function.

2. State Tracking: Implement state tracking to record the allocated amounts for each user and token.

3. Audit and Testing: Conduct a thorough audit and testing of the contract to ensure that the allocation and withdrawal logic are correctly implemented and secure.