Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

veRAACToken: Double Emergency Delay in Emergency Withdraw Mechanism

elegantart306

Summary

The veRAACToken::enableEmergencyWithdraw function adds an unnecessary second delay period of EMERGENCY_DELAY (3 days) after the initial delay enforced by the veRAACToken::withEmergencyDelay modifier. This results in a total delay of 6 days instead of the intended 3 days, violating the protocol’s emergency response design and causing user funds to remain locked longer than expected during emergencies.

Vulnerability Details

Code Context:

modifier withEmergencyDelay(bytes32 actionId) {
uint256 scheduleTime = _emergencyTimelock[actionId];
if (scheduleTime == 0) revert EmergencyActionNotScheduled();
if (block.timestamp < scheduleTime + EMERGENCY_DELAY) revert EmergencyDelayNotMet(); // Ensures 3-day delay
_;
delete _emergencyTimelock[actionId];
}
function enableEmergencyWithdraw() external onlyOwner withEmergencyDelay(EMERGENCY_WITHDRAW_ACTION) {
emergencyWithdrawDelay = block.timestamp + EMERGENCY_DELAY; // Adds redundant 3-day delay
emit EmergencyWithdrawEnabled(emergencyWithdrawDelay);
}

Explanation:

  1. The withEmergencyDelay modifier ensures that enableEmergencyWithdraw can only execute after a 3-day delay from the time the emergency action was scheduled (scheduleTime + EMERGENCY_DELAY).

  2. However, the function itself sets emergencyWithdrawDelay = block.timestamp + EMERGENCY_DELAY, adding another 3-day delay before users can call emergencyWithdraw().

  3. This results in a total delay of 6 days (3 days from the modifier + 3 days from the function).

Impact

Severity: High

  1. Critical Functionality Failure:

    • The emergency withdrawal mechanism is a core safety feature of the protocol. Misalignment between documented and actual behavior constitutes a critical failure in protocol logic, regardless of who triggers it.

    • Example: If the protocol markets "3-day emergency withdrawals" to users, the double delay breaches trust and contractual expectations.

  2. Indirect Financial Impact:

    • Users may incur losses due to market conditions during the extra 3-day delay (e.g., token price collapse, missed opportunities).

    • Example: A user expects to withdraw during a market crash at day 3 but is forced to wait until day 6, resulting in deeper losses.

  3. Reputational and Legal Risks:

    • Misleading functionality could lead to regulatory scrutiny (e.g., false advertising claims) or mass user exits due to distrust.

Tools Used

  • Manual code review.

Recommendations

Fix: Remove the redundant delay in enableEmergencyWithdraw:

function enableEmergencyWithdraw() external onlyOwner withEmergencyDelay(EMERGENCY_WITHDRAW_ACTION) {
- emergencyWithdrawDelay = block.timestamp + EMERGENCY_DELAY;
+ emergencyWithdrawDelay = block.timestamp; // Use current timestamp
emit EmergencyWithdrawEnabled(emergencyWithdrawDelay);
}

Verification:
Ensure the total delay for emergency withdrawals is exactly EMERGENCY_DELAY (3 days) from the time the action is scheduled, not doubled.

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

veRAACToken implements two consecutive 3-day emergency delays (totaling 6 days), hindering timely emergency response when funds need to be withdrawn quickly

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!