Submission Details
Severity:
Permanent lockup of crvUSD tokens in RAACNFT contract
Summary
The RAACNFT contract permanently locks crvUSD tokens sent during minting with no withdrawal mechanism.
Vulnerability Details
When users mint NFTs, they send crvUSD tokens to the contract:
token.safeTransferFrom(msg.sender, address(this), _amount);
However, the contract has:
No function to withdraw these tokens
No way to recover locked funds
No burning mechanism that returns tokens
Impact
All crvUSD tokens sent to contract become permanently locked
Loss of user funds
Protocol value becomes inaccessible
HIGH severity due to permanent fund lockup
Tools Used
Manual Review
Recommendations
Add withdrawal functionality for the protocol:
function withdrawTokens(address to, uint256 amount) external onlyOwner {
token.safeTransfer(to, amount);
emit TokensWithdrawn(to, amount);
}
function burnAndReturn(uint256 tokenId) external {
require(ownerOf(tokenId) == msg.sender, "Not owner");
uint256 price = raac_hp.tokenToHousePrice(tokenId);
_burn(tokenId);
token.safeTransfer(msg.sender, price);
emit NFTBurned(tokenId, msg.sender, price);
}
Updates
Lead Judging Commences
inallhonesty about 2 months ago
Submission Judgement Published Assigned finding tags:
Liquidated RAACNFTs are sent to the StabilityPool by LendingPool::finalizeLiquidation where they get stuck
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420 USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.