Missing state tracking in treasury transfers leads to unaccountable fund movements

The transferFromTreasury function allows the owner to transfer tokens from the treasury address without any accounting or state tracking. Unlike the distributeShareHolderTokens and airdrop functions which properly track allocations through state variables, treasury transfers are completely unaccounted for.

The contract allocates 70% of the total supply (700,000 tokens) to the treasury address during deployment, but provides no mechanism to track how these funds are used:

function transferFromTreasury(address to, uint256 amount) public onlyOwner {
    require(to != address(0), "Cannot transfer to zero address");
    _transfer(treasury, to, amount); // No state tracking
}

This creates an inconsistent accounting model where shareholder and airdrop allocations are carefully tracked, but the largest allocation (treasury) has no transparency or limits.

Vulnerable Scenario:

The following steps help understand the issue:

1. Contract deploys with 700,000 tokens allocated to treasury (70% of supply).
2. Owner can call transferFromTreasury to move any amount from treasury to any address.
3. No state variables track how much treasury allocation has been used.
4. No limits prevent owner from draining entire treasury allocation.
5. Token holders have no visibility into treasury fund usage.

Complete centralized control over 70% of token supply without transparency, accountability, or usage tracking.

Implement proper accounting for treasury transfers similar to other allocations. Track _unallocatedTreasuryTokens, decrement on each transfer, and emit a TreasuryTransfer event so off-chain monitors can audit treasury fund usage.

Ipal Network: Acknowledged. This finding relates to a contract that was decided to be outside the scope of the audit during the audit process.

Zealynx: Acknowledged. The transferFromTreasury function still lacks state tracking for treasury fund usage, allowing unlimited transfers without accountability or transparency.