Documentation-Specified Security Features Missing From Implementation
Summary
The RAACMinter.sol and RAACToken.sol contracts lack several security features that are explicitly specified in the protocol documentation, including delayed ownership transfers with execution windows and address exemptions for emergency shutdowns. While these contracts maintain basic security through OpenZeppelin's Ownable and Pausable patterns, the absence of the documented security measures reduces the protocol's defense-in-depth approach.
Vulnerability Details
The documentation specifies three security features that are not present in the implementation:
24-hour Window for Ownership Transfer:
The contract lacks a time window mechanism that would allow ownership transfer to be cancelled if not completed within 24 hours of the delay period.
Emergency Shutdown Address Exemptions:
The emergency shutdown affects all addresses uniformly, contrary to documentation stating certain addresses could be exempted.
7-day Delay for RAACToken Ownership Transfer:
The delay mechanism meant to provide additional security for ownership transfers is not implemented.
Impact
Low - Contract is still implementating standard OZ security features but has not implemented additional in-house features documentation specifies.
Recommendations
Either:
Update the documentation to reflect the current implementation
Implement the security features as documented to provide the intended security guarantees
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.