`veRAACToken::emergencyWithdraw` doesn't have any cleaning mechanism to remove emergency schedules previously set, allowing users to perform withdraws at will before the lock ends.
Summary
veRAACToken implements a mechanism to permit users to withdraw their locked tokens under emergency scenarios. The emergency is enabled by the veRAACToken::enableEmergencyWithdrawand can be performed any time after the emergencyWithdrawDelay.
Vulnerability Details
Although this is a good practice, the function doesn't implement any functionality to reset the emergencyWithdrawDelayvariable. This means that after the emergencyWithdrawDelayusers will always be able to perform withdraws.
Once the emergency ends and users can start depositing again, they would be able to immediately withdraw if they want to.
Impact
All locked tokens could be redeemed by users before the MIN_LOCK_DURATIONends even after the emergency action is finalized.
Tools Used
Code Review
Recommendations
Implement a function to reset the emergencyWithdrawDelayvariable once the emergency scenario comes to an end.
Lead Judging Commences
veRAACToken::emergencyWithdraw permanently enables lock-bypassing after activation with no way to disable it, permanently breaking token time-locking functionality
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.