Core Contracts

Summary

The emergency unlock mechanism allows users to withdraw their locked tokens prematurely when the emergencyUnlockEnabled flag is set. However, this feature lacks safeguards, making it susceptible to abuse if enabled accidentally or maliciously.

Vulnerability Details

Root Cause

The emergency unlock mechanism is controlled by a single flag (emergencyUnlockEnabled) and lacks:

• Limit on the number of tokens that can be withdrawn during an emergency

• No restriction on which addresses can perform emergency withdrawals.

• No delay between enabling the emergency unlock and allowing withdrawals.

Proof of Concept (PoC

Scenario

• The contract owner enables the emergency unlock feature.

• Users withdraw their locked tokens immediately, bypassing the lock duration.

• The total locked supply drops to zero, disrupting governance and reward distribution.

Deploy the Contract:

• Deploy the veRAACToken contract with the RAAC token address.

• User A locks 1000 RAAC tokens for 4 years (MAX_LOCK_DURATION).

• User B locks 500 RAAC tokens for 2 years.

• The contract owner calls executeEmergencyUnlock to enable the emergency unlock feature.

• User A calls emergencyWithdraw to withdraw their 1000 RAAC tokens.

• User B calls emergencyWithdraw to withdraw their 500 RAAC tokens.

• The total locked supply drops to zero.

• Governance and reward distribution are disrupted.

Expected Behavior

The emergency unlock mechanism should only be used in genuine emergencies, with safeguards to prevent mass withdrawals and system destabilization.

Actual Behavior

Users can withdraw their tokens immediately once the emergency unlock is enabled, leading to mass withdrawals and system instability.

Code Example

Output

• The total locked supply drops to zero after the emergency withdrawals.

• Users A and B successfully withdraw their tokens, bypassing the lock duration.

Impact

• If the emergency unlock is enabled, all users can withdraw their tokens immediately, regardless of lock duration. This could destabilize the system by reducing the total locked supply and undermining the governance mechanism.

• Users may lose confidence in the system if emergency unlocks are triggered unnecessarily or maliciously.

• Premature withdrawals could disrupt reward distribution and governance processes, leading to financial losses for stakeholders.

Tools Used

Manual Code Review

Recommendations

• Limit the number of tokens that can be withdrawn during an emergency (e.g., a percentage of the total locked supply per day).

• Restrict emergency withdrawals to a whitelist of trusted addresses.

• Add a delay between enabling the emergency unlock and allowing withdrawals to give users time to react.

• Require multiple signatures to enable the emergency unlock, reducing the risk of accidental or malicious activation.

• Emit detailed events when the emergency unlock is enabled or used to improve transparency.