If the emergencyWithdraw from veRAACToken is enabled attacker can always still the rewards from the feeCollector with a flashloan
Summary
If the emergencyWithdraw function from veRAACToken is enabled, an attacker can always steal the rewards from the feeCollector using a flash loan. The malicious user would take a flash loan, lock all of his funds to gain voting power, obtain all the shares, then withdraw them and return the flash loan.
Vulnerability Details
When the emergency withdraw is enabled users can lock and unlocked their funds immediately. This is why an attacker can steal all of the rewards.
Creates a flash loan
Lock all of the funds
Having an 99.99% of the voting power
calling ClaimRewards in FeeCollector
Withdrawing his locked funds from the veRAACToken
returning the flash loan
Impact
Stealing all of the rewards
Tools Used
Recommendations
Even if the emergency withdraw is enabled, create at least 10 seconds delay between the lock function and withdraw.
Lead Judging Commences
FeeCollector::emergencyWithdraw sends all tokens to treasury without resetting collectedFees, breaking rewards and future distributions
FeeCollector::emergencyWithdraw sends all tokens to treasury without resetting collectedFees, breaking rewards and future distributions
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.