Funds Permanently Locked in Treasury Due to Improper Transfer Method
Summary
Funds transferred from FeeCollector.sol to Treasury.sol become permanently locked due to improper transfer methods. Instead of using the deposit function in Treasury.sol, FeeCollector.sol transfers funds using .safeTransfer, which does not update _balances in Treasury.sol. As a result, the withdraw function fails due to an insufficient recorded balance, making it impossible to retrieve the funds.
Vulnerability Details
In FeeCollector.sol, funds are transferred to Treasury.sol using .safeTransfer instead of calling the deposit function:
This means that Treasury.sol does not record the deposit in its _balances mapping:
Since _balances[token] is never updated for these transfers, any attempt to withdraw funds via withdraw() fails with an InsufficientBalance error:
This effectively locks the funds in Treasury.sol, making them unrecoverable.
Impact
Permanent loss of funds: Funds transferred from FeeCollector.sol to Treasury.sol become irretrievable.
Tools Used
Manual code review
Recommended Mitigation
Modify FeeCollector.sol to use the deposit function in Treasury.sol instead of .safeTransfer:
This ensures that _balances[token] in Treasury.sol is updated correctly, allowing future withdrawals.
Lead Judging Commences
FeeCollector::_processDistributions and emergencyWithdraw directly transfer funds to Treasury where they get permanently stuck
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.