Emergency revocation of vesting funds does not safeguard the assets
Summary
In case of an emergency revoaction of vested funds, the assets are not safeguarded out of the contract since they are transferred right back to it.
Vulnerability Details
The RAACReleaseOrchestrator contract is used for admins to allocate and vest assets. The contract contains an emergencyRevoke() function to revoke vesting schedules and vested assets in case of emergency:
The issue is that when they are revoked, the remaining vested amount is incorrectly transferred back into this contract instead of out of it to a safe place. I believe the intent of the developers was to transfer them out since:
This function is supposed to be called in case of emergency
They could have just deleted the vesting schedule without transferring the tokens back into the same contract as they would still be just remaining in its balance
Transferring them to the same address makes no sense.
Impact
Emergency revocation leaves assets remaining in unsafe place instead of transferring them out to a safe address/treasury.
Tools Used
Manual Review
Recommendations
Transfer out to protocol owned EOA or deposit into treasury in case of emergency revocations.
Lead Judging Commences
RAACReleaseOrchestrator::emergencyRevoke sends revoked tokens to contract address with no withdrawal mechanism, permanently locking funds
RAACReleaseOrchestrator::emergencyRevoke sends revoked tokens to contract address with no withdrawal mechanism, permanently locking funds
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.