There is NO way to disable `emergencyWithdrawDelay` during emergency situations
Summary
In VeRaacToken contract, the owner can enable withdrawals via enableEmergencyWithdraw(), which allows the users to withdraw their funds before lock expiry during emergency situations.
However, there is NO WAY to reset this state variable emergencyWithdrawDelay.
Vulnerability Details
During Emergency situations, Users can call emergencyWithdraw() in order to withdraw their funds before expiry.
In this function, there is a validation check to ensure whether there is an actual emergency or not, if not, then the function reverts.
As long as the current timestamp exceeds the emergency delay(3 days delay), a user will be able to withdraw his funds.
However, there lies an issue here. If you look into the function enableEmergencyWithdraw() i.e.
Once it has been called, there is NO WAY to disable it. At most, owner can update to current time with a three days delay.
The owner will need to keep repeating this process, otherwise users will be able to withdraw their funds.
Impact
Emergency Withdrawals cannot be disabled. Hence, users will always be able to withdraw before lock expiry, which breaks protocol functionality.
Tools Used
Manual
Recommendations
Consider implementing an additional logic in the function enableEmergencyWithdraw() through which we can reset emergencyWithdrawDelay to zero.
Lead Judging Commences
veRAACToken::emergencyWithdraw permanently enables lock-bypassing after activation with no way to disable it, permanently breaking token time-locking functionality
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.