Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

Emergency withdraw does not delete/reset the users check point to zero

bigsam

Summary

The emergency withdrawal function allows users to withdraw before the unlock time if admins allows an emergency withdrawal but this fails to reset the checkpoint of the user.

Vulnerability Details

Inconsistency in the withdraw and emergency withdrawal function

/**
* @notice Withdraws locked RAAC tokens after lock expiry
* @dev Burns veRAAC tokens and returns the original RAAC tokens to the user
*/
function withdraw() external nonReentrant {
LockManager.Lock memory userLock = _lockState.locks[msg.sender];
if (userLock.amount == 0) revert LockNotFound();
if (block.timestamp < userLock.end) revert LockNotExpired();
uint256 amount = userLock.amount;
uint256 currentPower = balanceOf(msg.sender); // balance of is voting power
// Clear lock data
delete _lockState.locks[msg.sender];
delete _votingState.points[msg.sender];
// Update checkpoints
@audit>> _checkpointState.writeCheckpoint(msg.sender, 0); // update users power
// Burn veTokens and transfer RAAC
_burn(msg.sender, currentPower);
raacToken.safeTransfer(msg.sender, amount);
emit Withdrawn(msg.sender, amount);
}
/**
* @notice Allows emergency withdrawal of locked tokens
* @dev Users can withdraw their tokens before lock expiry during emergency
*/
function emergencyWithdraw() external nonReentrant {
if (emergencyWithdrawDelay == 0 || block.timestamp < emergencyWithdrawDelay)
revert EmergencyWithdrawNotEnabled();
LockManager.Lock memory userLock = _lockState.locks[msg.sender];
if (userLock.amount == 0) revert NoTokensLocked();
uint256 amount = userLock.amount;
uint256 currentPower = balanceOf(msg.sender);
delete _lockState.locks[msg.sender];
delete _votingState.points[msg.sender];
@audit>> // low we do not write to checkpoint
_burn(msg.sender, currentPower);
raacToken.safeTransfer(msg.sender, amount);
emit EmergencyWithdrawn(msg.sender, amount);
}

Impact

Users power and blocknumber are still saved with in the contract.

Tools Used

Manual Review

Recommendations

Reset checkpoint to 0.

Updates

Lead Judging Commences

inallhonesty Lead Judge 2 months ago
Submission Judgement Published
Validated
Assigned finding tags:

veRAACToken::emergencyWithdraw doesn't update checkpoint - innacurate historical voting power, inconsistent state

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.