`FeeCollector::emergencyWithdraw` Function Leading to Potential Loss of User Rewards
Summary
The emergencyWithdraw function is implemented in a way that transfers the entire token balance held by the contract to the treasury when the contract is paused. This design fails to differentiate between protocol funds (collected fees) and user-owned rewards, resulting in the risk of inadvertently transferring user assets along with protocol funds.
Vulnerability Details
The function retrieves the entire token balance of the contract using raacToken.balanceOf(address(this)) (or for other tokens) and transfers it to the treasury. This operation does not consider the separation between funds intended for protocol operations and funds allocated for user rewards.
The emergency withdrawal mechanism does not account for the amounts already allocated or earmarked for user rewards (as maintained in mappings such as collectedFees or userRewards). This oversight means that user funds, which should be claimable separately, might be permanently redirected to the treasury.
Impact
Loss of User Rewards:
Users may lose access to their rewards if an emergency withdrawal is executed, as their assets will be mistakenly transferred to the treasury.
Tools Used
Manual Code Review
Recommendations
Implement a clear segregation between protocol funds and user rewards.
Lead Judging Commences
FeeCollector::emergencyWithdraw sends all tokens to treasury without resetting collectedFees, breaking rewards and future distributions
FeeCollector::emergencyWithdraw sends all tokens to treasury without resetting collectedFees, breaking rewards and future distributions
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.