Core Contracts

Summary

A race condition exists in the emergencyRevoke function where a user can front-run the revocation by calling release to withdraw all available tokens before their vesting schedule is revoked.

Affected Code:

• RAACReleaseOrchestrator::emergencyRevoke

• RAACReleaseOrchestrator::release

Vulnerability Details

1. emergencyRevoke function is called.

2. User sees this transaction in the mempool.

3. User calls release function with higher gas to quickly withdraw the vesting amount available for withdrawal. If this is all the vesting amount, they successfully front run the protocol and they are not penalized.

The emergencyRevoke function deletes the vesting schedule and transfers only the unreleased amount to the contract. However, a user can quickly call release and withdraw their vested tokens before the revocation is executed, minimizing or avoiding penalties.

Impact

• Users can exploit this race condition to withdraw the maximum possible amount before losing their vesting rights, reducing the penalty or eradicating it if their vesting schedule is already beyond the end time.

• This undermines the intended penalty mechanism of the emergency revoke.

Tools Used

• Manual code review

• Symbolic analysis

Recommendations

• Atomic Operations: Combine pause and revoke into a single transaction to avoid front-running opportunities.