# 30973 - \[SC - Low] Incorrect Validation of treasuryPct in the Reve... Submitted on May 9th 2024 at 23:24:07 UTC by @The\_Seraphs for [Boost | Alchemix](https://immunefi.com/bounty/alchemix-boost/) Report ID: #30973 Report type: Smart Contract Report severity: Low Target: Impacts: * Contract fails to deliver promised returns, but doesn't lose value * Smart contract unable to operate due to lack of token funds * Protocol insolvency ## Description ## Brief/Intro The constructor of the `RevenueHandler` contract incorrectly checks an uninitialised state variable (`treasuryPct`) instead of the parameter (`_treasuryPct`). This issue could lead to setting an unintended treasury percentage without proper validation. **Note:** *I've set as a medium severity, due to setting an incorrect treasury percentage could lead to financial discrepancies in revenue distribution between the Treasury and veALCX holders - Ultimately affecting the protocol's economic model. However, I do understand that this is part of a constructor, so the likelihood is **low** and the `setTreasuryPct()` can be used to fix once noticed.* ## Vulnerability Details ### Components Affected * Contract Name: `RevenueHandler` * Functionality: Constructor and Treasury Percentage Setup ## Impact Details The constructor of the `RevenueHandler` contract is intended to initialise the treasury percentage (`treasuryPct`) used to calculate the portion of revenues sent to the treasury. The code currently checks the uninitialised state variable `treasuryPct` instead of the input parameter `_treasuryPct`. The correct line should validate `_treasuryPct` as it's the input provided during contract deployment and affects subsequent financial calculations. If not corrected, this bug could allow the initialisation of the `RevenueHandler` with a `treasuryPct` exceeding 100%. This could lead to errors in calculating the treasury's share of revenues, potentially resulting in economic losses or unintended distribution of funds. **Current implementation:** ```solidity constructor(address _veALCX, address _treasury, uint256 _treasuryPct) Ownable() { veALCX = _veALCX; require(_treasury != address(0), "treasury cannot be 0x0"); treasury = _treasury; require(treasuryPct <= BPS, "treasury pct too large"); // incorrect check treasuryPct = _treasuryPct; } ``` **Proposed fix:** ```solidity constructor(address _veALCX, address _treasury, uint256 _treasuryPct) Ownable() { veALCX = _veALCX; require(_treasury != address(0), "treasury cannot be 0x0"); treasury = _treasury; require(_treasuryPct <= BPS, "treasury pct too large"); // corrected treasuryPct = _treasuryPct; ``` ## References * Link to code (contract): * Link to code (test file): ## Proof of Concept * Using the existing `src/test/RevenueHandler.t.sol` test contract * Add the following test function ```solidity function testRevenueHandlerTreasuryPct() public { uint256 treasuryPct = revenueHandler.treasuryPct(); console.log("Treasury percentage: %s", treasuryPct); } ``` * Go to the `BaseTest.sol` test contract and adjust setUp() which initiates the `RevenueHandler` with the required parameters. ```solidity=153 revenueHandler = new RevenueHandler(address(veALCX), admin, 50000); // @audit change to higher than BPT ``` * Run the test from the terminal `forge test --mt testRevenueHandlerTreasuryPct -vv` **Results:** ```shell [⠒] Compiling... No files changed, compilation skipped Ran 1 test for src/test/RevenueHandler.t.sol:RevenueHandlerTest [PASS] testRevenueHandlerTreasuryPct() (gas: 10892) Logs: Treasury percentage: 50000 Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 6.25s (70.92ms CPU time) Ran 1 test suite in 6.62s (6.25s CPU time): 1 tests passed, 0 failed, 0 skipped (1 total tests) ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://reports.immunefi.com/alchemix/30973-sc-low-incorrect-validation-of-treasurypct-in-the-reve....md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.