Submission Details
Severity:
emergencyRevoke in RAACReleaseOrchestrator doesnt transfer any funds
Summary
RAACReleaseOrchestrator has ability to revoke vesting schedule for a beneficiary and withdraw all funds that are deposited, but because of a bug, the RAAC tokens will be left at RAACReleaseOrchestrator.
Vulnerability Details
Function attempts to transfer tokens from contract to itself (address(this)).
function emergencyRevoke(address beneficiary) external onlyRole(EMERGENCY_ROLE) {
VestingSchedule storage schedule = vestingSchedules[beneficiary];
if (!schedule.initialized) revert NoVestingSchedule();
uint256 unreleasedAmount = schedule.totalAmount - schedule.releasedAmount;
delete vestingSchedules[beneficiary];
if (unreleasedAmount > 0) {
// Bug is here
raacToken.transfer(address(this), unreleasedAmount);
// Bug is here ^^^
emit EmergencyWithdraw(beneficiary, unreleasedAmount);
}
emit VestingScheduleRevoked(beneficiary);
}
Impact
Funds for the benfieciary will be locked forever in the contract.
Tools Used
Manual review
Recommendations
Change transfer destination address to be sender
Updates
Lead Judging Commences
inallhonesty 6 months ago
Submission Judgement Published Assigned finding tags:
RAACReleaseOrchestrator::emergencyRevoke sends revoked tokens to contract address with no withdrawal mechanism, permanently locking funds
inallhonesty 6 months ago
Submission Judgement Published Assigned finding tags:
RAACReleaseOrchestrator::emergencyRevoke sends revoked tokens to contract address with no withdrawal mechanism, permanently locking funds
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420
USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.