Wrong Handling of Unclaimed Tokens in release() Function
Summary
The release() function in the RAACReleaseOrchestrator.sol contract, which handles the release of RAAC tokens for various stakeholders using custom vesting schedules, does not properly account for cases where stakeholders have not claimed any tokens during the vesting period.
Vulnerability Details
The release() function internally calls _calculateReleasableAmount(schedule)- 2025-02-raac/contracts/core/minters/RAACReleaseOrchestrator/RAACReleaseOrchestrator.sol at main · Cyfrin/2025-02-raac
Which in turn checks if vesting time has elasped - 2025-02-raac/contracts/core/minters/RAACReleaseOrchestrator/RAACReleaseOrchestrator.sol at main · Cyfrin/2025-02-raac
Issue: If a stakeholder does not claim their tokens throughout the vesting period, the function executes the following logic:
Once the vesting duration has been reached, the function releases the entire remaining token balance for the StakeHolder at once. This could lead to massive token dumps, negatively impacting RAAC token price stability and defeating the purpose of a gradual vesting process.
Impact
Price Manipulation: Sudden release of large token amounts could cause significant market volatility and jeopardize price action.
Vesting Violation: The core goal of vesting (gradual release over time) is bypassed if unclaimed tokens are released in bulk at the end.
Tools Used
Manual code review
Recommendations
Ensure that stakeholders cannot bypass vesting schedules by simply delaying their claims.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.