Dug - A controller does not use vault treasuries

[sherlock-admin]

Dug

medium

A controller does not use vault treasuries

Summary

A each vault has a treasury address stored. However, ControllerPeggedAssetV2 does not take this treasury into account when moving tokens.

Vulnerability Detail

Each instance of ControllerPeggedAssetV2 has an immutable treasury address stored. It uses this address to as the destination for fees.

This is in opposition the fact that each vault has it's own treasury that is set when it is created and can be updated through the setTreasury function.

Impact

This creates the issue where updating a VaultV2 treasury address has no effect. Withdraw fees always go to the ControllerPeggedAssetV2 treasury address. In fact, as it is, the treasury address is not used at all in the VaultV2 contract.

Code Snippet

https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/VaultV2.sol#L261-L268

https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Controllers/ControllerPeggedAssetV2.sol#L18

Tool used

Manual Review

Recommendation

If the intention is for all fees (deposit & withdraw) to go to a single treasury, then the immutable treasury address should be removed from ControllerPeggedAssetV2 and instead it should send fees to the VaultV2 treasury address. This way the treasury address is always managed by the VaultV2 contract.

If the intention is for withdraw fees to go to a different treasury than deposit fees, then the VaultV2 treasury address (and its related admin functions) should be moved to the Carousel as that is the only place it is used.

Duplicate of #110