Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Once An Emergency Always An Emergency

funkornaut

Summary

In the veRAACTokencontract once the emergencyWithdrawDelayis set there is no way to completely stop emergency withdraws.

Vulnerability Details

In the case where the veRAACTokenenters an emergency state and safely resolves itself the only way for the admins to disallow emergency withdraws is to continuously call enableEmergencyWithdraw this because emergencyWithdrawDelayis never reset to 0 and stop emergency withdraws.

function emergencyWithdraw() external nonReentrant {
if (emergencyWithdrawDelay == 0 || block.timestamp < emergencyWithdrawDelay)
revert EmergencyWithdrawNotEnabled();

Impact

If an emergency is resolved, there's no way to properly end the emergency state
Users could continue to emergency withdraw even after the emergency situation is over
This could lead to unexpected early withdrawals that weren't intended

Tools Used

manual review

Recommendations

Add a disableEmergencyWithdraws function.

function disableEmergencyWithdraws() external onlyOwner withEmergencyDelay(EMERGENCY_WITHDRAW_ACTION) {
emergencyWithdrawDelay = 0;
emit EmergencyWithdrawDisabled();
}
Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 month ago
Submission Judgement Published
Validated
Assigned finding tags:

veRAACToken::emergencyWithdraw permanently enables lock-bypassing after activation with no way to disable it, permanently breaking token time-locking functionality

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.