Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Circuit DAO>Design>Treasury
GeneralOverview
Findings
Critical (4)
High (7)
Medium (1)
Low (1)
Informational (3)
DiscussionVote aggregationTreasury-ring correctness relies on governanceConfusion of atom-announcer identityOracle-resolution votingTest code coverage
DesignDesign overviewThe statues coinGovernanceAtom announcerAnnouncer registryOracleTreasuryRecharge auctionSurplus auctionCollateral vaultSavings vaultBYC and CRT
Audit ResultsAssessment Results

Treasury

The treasury is a collection of BYC coins that hold fees and absorb bad debt. It consists of multiple coins rather than just one in order to support simultaneous withdrawals. This poses a challenge for operations involving the entire treasury (such as knowing the total balance), which is handled by putting a ring structure on the coin set.

Authorization

The parent of a treasury coin may or may not be a treasury coin. The coin is trusted if the spender provides proof that its parent is a treasury coin. Otherwise, the coin can only be spent if it and its curried parameters are approved by governance.

Some actions require knowledge of the entire treasury's balance. The purpose of a recharge auction is to sell CRT for BYC to replenish the treasury and cover bad debt. The protocol only allows recharge auctions to be started if the treasury balance is below a threshold.

In order to enforce that all treasury coins are spent in these cases, the coins are placed in a ring. Each coin knows its launcher (original nontreasury creator) as well as the launcher of the next coin. Then, a protocol operation can require the spender to provide the coins in an order that matches the ring, which serves as proof that the entire treasury is being spent.

Under section , we briefly describe how the ring structure is enforced.

Spends

A treasury coin can be spent in two main ways. With the approval of governance, a treasury coin can complete its launch or have its ring structure updated. With the approval of some protocol coins, a treasury coin can have its balance changed.

Correctness and test coverage

The treasury coin must only update structural data when approved by governance. Changes to balance should be authorized by puzzles approved in statutes. Correct lineage proofs should be accepted, and incorrect ones rejected—this is particularly important for operations like recharge auctions that need knowledge of the entire treasury balance.

Voltage Technologies Ltd. includes positive and negative test cases for many of these facts, like verifying that withdrawal requests from unapproved puzzles fail. In general, we recommend improving test coverage of end-to-end flows like fee deposits.

Zellic © 2025Back to top ↑