`emergencyRevoke` does not work as intended
Summary
emergencyRevoke does not work as intended.
Vulnerability Details
Currently emergencyRevoke is used in the case of emergency where if this contract has a bug in it or the receiver the EMERGENCY_ROLE can revoke the vest, preventing the funds from leaving this contract.
https://github.com/Cyfrin/2025-02-raac/blob/main/contracts/core/minters/RAACReleaseOrchestrator/RAACReleaseOrchestrator.sol#L126-L139
However the issue is that when it tries to transfer the funds out, it actually transfers them to this contract raacToken.transfer(address(this), unreleasedAmount) instead.
This means that if there is a bug or a hack the emergency won't do anything besides to stop the vesting. The funds will still be inside the contract, vulnerable to the exploiter.
Impact
emergencyRevoke does not save the funds.
It transfers them to the wrong address.
Function does not work as intended.
Tools Used
Manual review
Recommendations
Consider transferring them either to msg.sender or treasury so that if the current contract is hacked the funds will be safe.
Lead Judging Commences
RAACReleaseOrchestrator::emergencyRevoke sends revoked tokens to contract address with no withdrawal mechanism, permanently locking funds
RAACReleaseOrchestrator::emergencyRevoke sends revoked tokens to contract address with no withdrawal mechanism, permanently locking funds
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.