Anyone can deposit any amount of any token in the smart contract.
There is no accounting for any deposit made through this function.
It just emits an event with amount deposited, sender and token.
What's wrong about it:
In case of Fees on transfer token, the event emitted by it will give wrong information.
There is no method to take these tokens out in DAO.sol.
If it will seriously be used by DAO then without account it's use case are limit to just Donation.
Tools Used
VS Code
Recommended Mitigation Steps
Add accounting state variable to the users to track their funding amount. receive method can be removed so that only way to fund contract is througb deposit.
Lines of code
https://github.com/code-423n4/2023-03-aragon/blob/main/packages/contracts/src/core/dao/DAO.sol#L218-L245
Vulnerability details
Impact
No Accounting, Wrong data in Event emission in case of Fees on transfer Tokens and limited usecase.
Proof of Concept
Link to code
What this method does:
deposit
any amount of any token in the smart contract.What's wrong about it:
DAO.sol
.Tools Used
VS Code
Recommended Mitigation Steps
Add accounting state variable to the users to track their funding amount.
receive
method can be removed so that only way to fund contract is througbdeposit
.