Tokens Stuck in Contract Due to RAACReleaseOrchestrator::emergencyRevoke() Implementation
Summary
The emergencyRevoke() function is designed to revoke a vesting schedule for a beneficiary and reclaim the unvested tokens. However, the function transfers the unvested tokens to the contract itself, which has no withdrawal mechanism. This means that once the tokens are revoked, they become permanently locked within the contract, rendering them inaccessible.
Vulnerability Details
The function transfers the unvested tokens to address(this), but the contract has no function to withdraw or reclaim these tokens.
This permanently locks the tokens inside the contract, making them unusable.
The function deletes the vesting schedule but does not specify what should happen to the reclaimed tokens. If these tokens were meant to be redistributed or sent to a treasury, this is not handled.
If multiple revocations occur, a large amount of tokens can accumulate in the contract.
Impact
Tokens become permanently inaccessible
Tools Used
Manual Review
Recommendations
Introduce a withdrawTokens() function to recover any tokens accidentally sent to the contract.
Ensure that revoked tokens are transferred to a designated address (e.g., admin, treasury).
Lead Judging Commences
RAACReleaseOrchestrator::emergencyRevoke sends revoked tokens to contract address with no withdrawal mechanism, permanently locking funds
RAACReleaseOrchestrator::emergencyRevoke sends revoked tokens to contract address with no withdrawal mechanism, permanently locking funds
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.