Security: Sponsored treasury creation allows extraction of ~0.5 NEAR per treasury #124
Description
Summary
Treasury creation is sponsored by the platform (6 NEAR deposited), but newly created treasuries retain ~0.5-0.6 NEAR of spendable balance after storage costs. Users can extract this "free money" by creating a treasury and immediately withdrawing the excess balance.
Technical Details
How Treasury Creation Works
- Backend calls Sputnik DAO factory with 6 NEAR deposit (create.rs:172)
- Factory transfers the entire 6 NEAR to the new treasury account
- Storage for the DAO contract consumes ~5.4 NEAR (540-550 KB)
- Remaining ~0.5-0.6 NEAR is spendable
The Attack Vector
- Create treasury with 1 member (attacker) having all roles
- Set payment threshold to 1 (minimum allowed)
- Treasury receives ~0.5-0.6 NEAR spendable balance
- Create Transfer proposal to withdraw NEAR (costs 0.1 NEAR bond)
- Approve own proposal (only 1 vote needed)
- Finalize and extract funds
Net profit: ~0.4-0.5 NEAR per treasury creation
Evidence
Current Treasury Balances
| Treasury | Total | Storage Cost | Spendable |
|---|---|---|---|
| yurtur-empty-treasury | 6.00 NEAR | 5.44 NEAR | 0.56 NEAR |
| my-testing-treasury2 | 6.00 NEAR | 5.41 NEAR | 0.59 NEAR |
| ori | 6.10 NEAR | 5.42 NEAR | 0.68 NEAR |
| chabak | 6.00 NEAR | 5.52 NEAR | 0.48 NEAR |
Evidence of Exploitation (Drained Accounts)
| Treasury | Total | Storage Cost | Spendable |
|---|---|---|---|
| azaxdsa | 5.43 NEAR | 5.42 NEAR | 0.007 NEAR |
| ggg | 5.43 NEAR | 5.43 NEAR | 0.001 NEAR |
| number35 | 5.43 NEAR | 5.42 NEAR | 0.007 NEAR |
These accounts have balances matching almost exactly their storage costs, suggesting the excess has been withdrawn.
Impact
- Severity: Medium
- Financial impact: ~0.4-0.5 NEAR per exploited treasury
- Exploitability: Easy - requires only basic NEAR wallet interaction
Related Code
- Treasury creation:
nt-be/src/handlers/treasury/create.rs - Frontend form (allows threshold=1):
nt-fe/app/(treasury)/app/new/page.tsx - Sputnik DAO factory:
sputnik-dao.near