Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Treasury#deposit() function doesn't expect fee-on-transfer token.

leopoldflint

Severity: Low

Impact: Low

Likelihood: High

Description

The function deposit() in the contract Treasury does no consider a case when somebody will try to deposit the so-called weird token, that deduct a fee whenever they are transferred.

2025-02-raac/contracts/core/collectors/Treasury.sol at 89ccb062e2b175374d40d824263a4c0b601bcb7f · Cyfrin/2025-02-raac · GitHub

function deposit(address token, uint256 amount) external override nonReentrant {
if (token == address(0)) revert InvalidAddress();
if (amount == 0) revert InvalidAmount();
IERC20(token).transferFrom(msg.sender, address(this), amount);
_balances[token] += amount;
_totalValue += amount;
emit Deposited(token, amount);
}

Actually the contract receives amount minus fee tokens, but _balances[token] and _totalValue will add the entire amount, which is incorrect. This may cause problems when withdrawing.

Impact

The deposit() function can be called by anyone, that's why likelihood is high. Despite Treasury designed for any ERC20 token, in fact it works with a certain token. That's why real impact is low.

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Treasury::deposit increments _totalValue regardless of the token, be it malicious, different decimals, FoT etc.

Treasury::deposit increments _balances[token] with amount, not taking FoT or rebasing into account

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.