When doing `emergencyRevoke()`, the function does NOT update `categoryUsed` mapping
Summary
When calling emergency revoke on a vesting schedule, we do not reduce the mapping categoryUsed by the unreleased amount, which leads to incorrect accounting of categoryAllocations
Vulnerability Details
In order to create vesting schedules, we are required to specify the "category" in which we want to vest tokens.
The function createVestingSchedule() makes sure that the given category does NOT exceed the TOTAL allocation for this category i.e. Source
Notice, that the categoryUsed mapping is increased with the vested amount.
However, there lies an issue when we try to revoke such vesting schedule.
The Function emergencyRevoke() does not reduce this mapping categoryUsed by the unreleasedAmount.
It relates to the unreleased portion of the vesting schedule and is kept in the contract.
As we do not reduce it from categoryUsed, it uses up more allocation than it should for the given category, which would reduce the number of tokens we can vest in the category in future.
Impact
Incorrect accounting of categoryAllocations` leading to reduction in the number of MAX Tokens you can vest in a category.
Tools Used
Manual
Recommendations
Consider reducing the mapping categoryUsed by unreleasedAmount in function emergencyRevoke()
Lead Judging Commences
RAACReleaseOrchestrator::emergencyRevoke fails to decrement categoryUsed, causing artificial category over-allocation and rejection of valid vesting schedules
RAACReleaseOrchestrator::emergencyRevoke fails to decrement categoryUsed, causing artificial category over-allocation and rejection of valid vesting schedules
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.