Bypassing lock duration via `emergencyWithdraw`
Summary
The emergencyWithdraw function in the veRAACToken contract remains permanently enabled once activated, allowing users to create new locks and immediately withdraw them through the emergency withdrawal mechanism, ignoring the MIN_LOCK_DURATION.
Vulnerability Details
Once emergencyWithdraw is enabled via enableEmergencyWithdraw and the emergencyWithdrawDelay has passed, it remains permanently active. This vulnerability could be exploited in the following scenario:
Emergency withdrawal is enabled and delay period passes
Emergency situation is resolved
Attacker creates new lock
Attacker calls emergencyWithdraw
Attacker receives tokens back, bypassing lock duration
Impact
This effectively breaks the core mechanism of the protocol once emergencyWithdraw is enabled, as users can freely bypass lock durations that are meant to be enforced.
Recommendations
Consider adding a disable function for the emergencyWithdraw, which the owner can call once the emergency situation is resolved.
Lead Judging Commences
veRAACToken::emergencyWithdraw permanently enables lock-bypassing after activation with no way to disable it, permanently breaking token time-locking functionality
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.