Core Contracts

Summary

The veRAACToken::withdraw function can be called even when the contract is paused or during the EMERGENCY DELAY period. This means there is no effective mechanism to halt withdrawals under critical conditions.

Vulnerability Details

The veRAACToken::withdraw function lacks a protective modifier to restrict withdrawals during emergency situations. As a result, users can still withdraw their funds when the contract is in the paused state or during the EMERGENCY DELAY period.

Typically, the paused mode is activated in response to market instability or significant protocol issues. However, since the withdraw function remains accessible, the intended purpose of pausing the contract is undermined.

During the EMERGENCY DELAY period, emergency withdrawals are expected to be restricted. However, due to the absence of proper access control in veRAACToken::withdraw, users can still withdraw their locked tokens, contradicting the expected security measures. This unintended behavior could pose a significant risk to the protocol, particularly during emergencies or crisis scenarios.

Due to the lack of proper documentation, it is difficult to verify whether this behavior is intentional. However, allowing withdrawals during both the pausable period and the EMERGENCY DELAY period appears to be an oversight rather than a designed feature.

Relevant Code

Impact

Allowing withdrawals during the paused and EMERGENCY DELAY periods compromises the protocol's security, as users can still withdraw their tokens even when withdrawals should be restricted. This could lead to unintended fund outflows during critical situations.

Tools Used

Manual code review

Recommendations

• Introduce a modifier that restricts withdraw when the contract is paused or in the EMERGENCY DELAY period.

• Implement an explicit check within withdraw to ensure it cannot be executed under these conditions.

• Improve documentation to clarify the intended behavior of withdraw in emergency situations.