Submission Details
Severity:
H-2 Unrestricted Emergency Withdrawals in FeeCollector::emergencyWithdraw
Summary
The emergencyWithdraw function allows an account with EMERGENCY_ROLE to withdraw all funds. While role-based access control (RBAC) is used, there is a risk if EMERGENCY_ROLE is assigned to a single externally owned account (EOA). A compromised admin could drain all funds instantly.
function emergencyWithdraw(address token) external override whenPaused {
// @audit potential withdraw of funds
if (!hasRole(EMERGENCY_ROLE, msg.sender)) revert UnauthorizedCaller();
if (token == address(0)) revert InvalidAddress();
uint256 balance;
if (token == address(raacToken)) {
balance = raacToken.balanceOf(address(this));
raacToken.safeTransfer(treasury, balance);
} else {
balance = IERC20(token).balanceOf(address(this));
SafeERC20.safeTransfer(IERC20(token), treasury, balance);
}
emit EmergencyWithdrawal(token, balance);
}
Vulnerability Details
If an admin with EMERGENCY_ROLE gets compromised or acts maliciously, they can withdraw all funds immediately. giving users no time to react to a potential attack.
Impact
Loss of Funds
Tools Used
Manual Review
Recommendations
Implement a Time Delay Before Withdrawals
Limit amout that can be withdrawn
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420 USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.