[H-02] emergencyRevoke() in RAACReleaseOrchestrator results in loss of user funds
Summary
The unreleasedAmount tokens in the vesting schedule are not sent to the beneficiary but kept in the contract itself.
Vulnerability Details
When unreleasedAmount is greater than 0, the amount of tokens allocated but unreleased to the beneficiary should be transferred to them, however it currently sends them to the RAACReleaseOrchestrator itself (moot transfer) while also deleting the vesting schedule of the user, making it impossible for them to retrieve the tokens in the future without another vesting.
The intended behaviour should be to send the unreleasedAmount to the beneficiary as also documented by the EmergencyWithdraw event.
Impact
Loss of user funds that should be sent to them.
Tools Used
Manual review.
Recommendations
Substitute address(this) with beneficiary.
Lead Judging Commences
RAACReleaseOrchestrator::emergencyRevoke sends revoked tokens to contract address with no withdrawal mechanism, permanently locking funds
RAACReleaseOrchestrator::emergencyRevoke sends revoked tokens to contract address with no withdrawal mechanism, permanently locking funds
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.