Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

There is no way to disable EmergencyWithdraw

z3nithpu1se

Likelihood

Medium

Imapact

Medium

Description

The veRAACtoken contract uses a functionality to allow Admins to allow Users to Withdraw In Emergency with the following function.

function enableEmergencyWithdraw() external onlyOwner withEmergencyDelay(EMERGENCY_WITHDRAW_ACTION) {
emergencyWithdrawDelay = block.timestamp + EMERGENCY_DELAY;
emit EmergencyWithdrawEnabled(emergencyWithdrawDelay);
}

However, the problem arises when the admins wants to close the emergencyWithdraw. Guess what? He can't. This can cause serious troubles as there will be no way to disable it and Users can take their funds out even when there is no emergency.

Note => There can be some counter "The Admin can call the function once more and it will be closed". No, This is will only fix it temporarily as it will automatically be enabled after 3 days (Duration of EMERGENCY_WITHDRAW_DELAY).

Mitigation

The admin should be able to specify, for how long the emergency withdraw will be allowed after the block.timestamp + EMERGENCY_WITHDRRAW_DELAY.

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

veRAACToken::emergencyWithdraw permanently enables lock-bypassing after activation with no way to disable it, permanently breaking token time-locking functionality

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.