Revoked Beneficiaries Lose Their RAAC Tokens to the RAACReleaseOrchestrator contract
Summary
Beneficiaries who get revoked within or after the vesting period lose their RAAC tokens to the RAACReleaseOrchestrator Contract
Vulnerability Details
When the address assigned with the EMERGENCY_ROLE triggers the emerygencyRoke function to revoke a schedule period, the unreleased amount of RAAC tokens to be sent to beneficiaries after the vesting period is sent into the contract. This is the contract sending token to itself.
When vesting duration ends, these RAAC tokens cannot be recovered from the RAACReleaseOrchestrator.
Here is a written POC in foundry:
Although the documentation seems cautious of this when it states that "Emergency revocation requires careful consideration", however, it seems mindless to the impact of having the RAACToken getting stuck in contract forever.
Impact
RAAC tokens of revoked beneficiaries are stuck in the contract.
Tools Used
Manual review, Foundry.
Recommendations
Rather than sending the token back into the RAACReleaseCollector that has no withdrawal mechanism for stuck tokens, send the revoked scheduled tokens to the fee collector in the RAAC Token.
Lead Judging Commences
RAACReleaseOrchestrator::emergencyRevoke sends revoked tokens to contract address with no withdrawal mechanism, permanently locking funds
RAACReleaseOrchestrator::emergencyRevoke sends revoked tokens to contract address with no withdrawal mechanism, permanently locking funds
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.