Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Tokens Locked in Contract Upon Beneficiary Vesting Schedule Revocation

s0x0mtee

Summary

When a beneficiary's vesting schedule is revoked using emergencyRevoke, the unreleased tokens are permanently locked in the contract and become unusable. This occurs because the tokens have already been accounted for in categoryUsed[category], but there is no mechanism to recycle them back into the vesting system or allocate them elsewhere.

Vulnerability Details

  • The function emergencyRevoke deletes the vesting schedule of the beneficiary.

  • The unreleasedAmount of tokens (i.e., tokens that have not yet been claimed) is calculated but not reassigned to a valid category or beneficiary.

  • Instead, the contract attempts to transfer the tokens to itself:

    raacToken.transfer(address(this), unreleasedAmount);

  • Since categoryUsed[category] is not decremented, the locked tokens cannot be reassigned or reallocated.

Why This Matters

The inability to recycle tokens leads to permanent token loss because of the following constraint in createVestingSchedule:

if (newCategoryTotal > categoryAllocations[category]) revert CategoryAllocationExceeded();

  • categoryUsed[category] continues to count revoked allocations, so even though tokens are no longer assigned to a beneficiary, they cannot be reallocated and cannot be called `release()` on

  • If an admin tries to create a new vesting schedule, the CategoryAllocationExceeded check will fail because the system believes the tokens are still used.

  • Over time, as revocations occur, more and more tokens will be permanently locked, reducing the available supply for vesting and causing misalignment between intended allocations and actual token distribution.

Impact

  • Unreleased tokens are permanently locked inside the contract, reducing the total circulating supply.

  • The vesting schedule cannot be properly adjusted if a revocation is necessary.

  • Future beneficiaries may not receive their intended allocations due to artificial allocation caps.

Tools Used

  • Manual code review

Recommendations

  • Instead of transferring tokens to the contract, decrement categoryUsed[category] to allow the tokens to be reassigned:

    categoryUsed[category] -= unreleasedAmount;

  • Alternatively, allow an admin function to reallocate revoked tokens to a new beneficiary.

  • Consider allowing a recovery mechanism where unreleased tokens are returned to the treasury or another predefined category.

Updates

Lead Judging Commences

inallhonesty Lead Judge 10 months ago
Submission Judgement Published
Validated
Assigned finding tags:

RAACReleaseOrchestrator::emergencyRevoke fails to decrement categoryUsed, causing artificial category over-allocation and rejection of valid vesting schedules

inallhonesty Lead Judge 10 months ago
Submission Judgement Published
Validated
Assigned finding tags:

RAACReleaseOrchestrator::emergencyRevoke fails to decrement categoryUsed, causing artificial category over-allocation and rejection of valid vesting schedules

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!