RAAC token will be locked in RAACReleaseOrchestrator in emergency
Summary
RAAC token will be locked in RAACReleaseOrchestrator in emergency
Vulnerability Details
In RAACReleaseOrchestrator, the owner will transfer some RAAC tokens and distribute these RAAC tokens to the users. When there is something wrong, the EMERGENCY_ROLE can pause the contract and revoke these vesting schedule.
In function emergencyRevoke(), we will delete vestingSchedules and transfer the RAAC token out of the contract. The problem here is that we set the destination address is address(this). It means that all RAAC tokens will be locked in the contract.
For example:
The
ORCHESTRATOR_ROLEcreate one vesting schedule for Alice, the amount is 1000 RAAC token.The owner transfers 1000 RAAC token into RAACReleaseOrchestrator.
When we want to revoke Alice's vesting schedule, the 1000 RAAC will be stuck in this contract.
Impact
Some RAAC token will be stuck in the contract.
Tools Used
Manual
Recommendations
In emergencyRevoke(), we should assign one user to receive these RAAC tokens.
Lead Judging Commences
RAACReleaseOrchestrator::emergencyRevoke sends revoked tokens to contract address with no withdrawal mechanism, permanently locking funds
RAACReleaseOrchestrator::emergencyRevoke sends revoked tokens to contract address with no withdrawal mechanism, permanently locking funds
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.