Submission Details
Severity:
lock of funds in `RAACRealeaseOehestrator::emergencyRevoke` function.
Summary
When emergencyRevoke is called, unclaimed tokens are sent to the orchestrator contract (address(this)) via raacToken.transfer(address(this), ...) but there is currently no mechanism to withdraw these funds, leaving them stuck in the contract.
Vulnerability Details
The contract has no logic to withdraw ERC20 tokens from its own balance. ERC20 tokens sent to a contract without a withdrawal mechanism are permanently locked.
Impact
tokens sent to the contract is stuck
Tools Used
manual review
Recommendations
add a rescue mechanism
Updates
Lead Judging Commences
inallhonesty 7 months ago
Submission Judgement Published Assigned finding tags:
RAACReleaseOrchestrator::emergencyRevoke sends revoked tokens to contract address with no withdrawal mechanism, permanently locking funds
inallhonesty 7 months ago
Submission Judgement Published Assigned finding tags:
RAACReleaseOrchestrator::emergencyRevoke sends revoked tokens to contract address with no withdrawal mechanism, permanently locking funds
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420
USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.