Core Contracts

Summary

The contract includes a veRAACToken::whenNotPaused modifier, suggesting a pausing mechanism. However, the veRAACToken::paused variable is never modified anywhere in the contract, rendering the modifier ineffective. This creates a false sense of security, as the contract cannot be paused in case of an emergency.

Vulnerability Details

• The contract veRAACToken declares bool public paused; but does not initialize or update it anywhere.

• The veRAACToken::whenNotPaused modifier is applied to critical functions (lock, increase, extend), but since veRAACToken::paused is always false by default, the modifier does not actually restrict access.

• There is no function to allow the owner or an admin to change the veRAACToken::paused state.

• This could mislead auditors, developers, and users into believing that the contract has a working pausing mechanism.

Impact

1. Emergency Handling Failure: If a vulnerability, exploit, or governance issue arises, there is no way to pause the contract, leading to potential financial loss or governance manipulation.

2. False Security Assumption: Developers, auditors, or users might assume that pausing is possible when it is not.

3. Misleading Code & Poor Maintainability: Future developers may attempt to rely on the whenNotPaused modifier, leading to unexpected security flaws.

Tools Used

• Manual code review

Recommendations

1. Implement a functional pausing mechanism:

   function setPaused(bool _paused) external onlyOwner {

   paused = _paused;

   }

   This allows the contract owner to toggle the paused state when needed.

2. If pausing was never intended, remove the whenNotPaused modifier from all functions to avoid confusion.