Submission Details
Severity:
`emergencyRevoke` doesn't work in `RAACReleaseOrchestrator`
Summary
emergencyRevoke is a function used to revoke the unreleased tokens from recipient and withdraw tokens from the contract. The issue is that tokens are sent to address(this) and not to msg.sender.
Vulnerability Details
We can see that emergencyRevoke send tokens to address(this) not to msg.sender. It means that tokens can't be withdrawn from the contract using emergencyRevoke.
function emergencyRevoke(address beneficiary) external onlyRole(EMERGENCY_ROLE) {
VestingSchedule storage schedule = vestingSchedules[beneficiary];
if (!schedule.initialized) revert NoVestingSchedule();
uint256 unreleasedAmount = schedule.totalAmount - schedule.releasedAmount;
delete vestingSchedules[beneficiary];
if (unreleasedAmount > 0) {
raacToken.transfer(address(this), unreleasedAmount);
emit EmergencyWithdraw(beneficiary, unreleasedAmount);
}
emit VestingScheduleRevoked(beneficiary);
}
Impact
Tokens are stuck in the contract because emergencyRevoke doesn't work as expected. It send tokens to address(this) and not to msg.sender.
Tools Used
Manual Review, Hardhat
Recommendations
Send tokens to msg.sender.
Updates
Lead Judging Commences
inallhonesty 6 months ago
Submission Judgement Published Assigned finding tags:
RAACReleaseOrchestrator::emergencyRevoke sends revoked tokens to contract address with no withdrawal mechanism, permanently locking funds
inallhonesty 6 months ago
Submission Judgement Published Assigned finding tags:
RAACReleaseOrchestrator::emergencyRevoke sends revoked tokens to contract address with no withdrawal mechanism, permanently locking funds
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420
USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.