`allocationFunds` in Treasury contract doesn't check allocated amount and doesn't specify which token is allocated.
Summary
Treasury contract implements a allocateFunds function. As described in the documentation, fund allocation:
Maps allocator => recipient => amount
Records intended fund distributions
Does not affect actual token balances
The problem arises because allocateFunds doesn't do any check regarding the amount being allocated. Therefore, it is possible to allocate more funds than the treasury holds.
Also, allocateFunds doesn't specify which token is being allocated. We can suppose that its RAAC token, but the treasury allows to deposit any existing ERC20 token. Expected behaviour is unclear.
Vulnerability Details
The allocator can call allocateFunds, passing any value for amount and the call will succeed. This is not the expected behaviour as it should not be allowed to allocate more funds that what the treasury owns.
Impact
The impact of this vulnerability is medium as it can lead to incorrect assumptions regarding allocated amounts.
Tools Used
Manual review.
Recommendations
Make sure to track the total allocated amount, increment it when funds are allocated, and ensure that allocated amount is not greater that the amount the treasury owns.
Depending on the expected behaviour, allocation tracking might need modification, to allow tracking which token is allocated.
If only RAAC tokens should be allocated, total allocated amount should be compared to _balances[raacToken] which would need to add a raacToken address variable in the contract.
Lead Judging Commences
Treasury::allocateFunds doesn't say what token you are actually allocating, doesn't check balances, or existing allocations to other recipients
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.