Submission Details
Severity:
Missing whenNotPaused modifier in veRAACToken :: withdraw
[M-2] Missing whenNotPaused modifier in veRAACToken :: withdraw
Description: in protocols doing the time of emergency , withdraw functions are the most vital function to pause because that point is mainly where malicious actors will withdraw from , other vital functions in veRAACToken have the whenNotPaused modifier except the withdraw functions
Impact: malicious actors who might be the reason for the protocol paused the contract will still be able to get away with funds even when the protocol is paused
Proof of Concept:
function withdraw() external nonReentrant {
LockManager.Lock memory userLock = _lockState.locks[msg.sender];
if (userLock.amount == 0) revert LockNotFound();
if (block.timestamp < userLock.end) revert LockNotExpired();
uint256 amount = userLock.amount;
uint256 currentPower = balanceOf(msg.sender);
// Clear lock data
delete _lockState.locks[msg.sender];
delete _votingState.points[msg.sender];
// Update checkpoints
_checkpointState.writeCheckpoint(msg.sender, 0);
// Burn veTokens and transfer RAAC
_burn(msg.sender, currentPower);
raacToken.safeTransfer(msg.sender, amount);
emit Withdrawn(msg.sender, amount);
}
Recommended Mitigation:
Fix the whenNotPaused modifier like this below
- function withdraw() external nonReentrant {
+ function withdraw() external nonReentrant whenNotPaused {
Updates
Lead Judging Commences
inallhonesty 4 months ago
Submission Judgement Published Assigned finding tags:
veRAACToken::withdraw lacks whenNotPaused
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420 USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.