The `emergencyWithdraw` function will leave the FeeCollector in a broken state
Summary
The FeeCollector::emergencyWithdraw function allows emergency withdrawal of tokens, but fails to reset critical contract state variables like collectedFees and userRewards. This leaves the contract in an inconsistent state where accounting variables indicate funds that are no longer present in the contract.
Vulnerability Details
Whenever the FeeCollector contract receives funds through the collectFee function, the collectedFees struct is updated. These fees are distributed among different receivers using the distributeCollectedFees function. However, after an emergency withdrawal, while the balance of the RAAC token is set to zero, the collectedFees struct still reflects the pre-withdrawal balance. This mismatch causes the distribution process to revert due to the following condition: if (contractBalance < totalFees) revert InsufficientBalance();. Link to relevant code: https://github.com/Cyfrin/2025-02-raac/blob/89ccb062e2b175374d40d824263a4c0b601bcb7f/contracts/core/collectors/FeeCollector.sol#L403
Impact
After an emergency withdrawal:
distributeCollectedFees()will revert due to insufficient balanceclaimRewards()will revert when users try to claim rewardsContract accounting becomes permanently broken
This creates a situation where the contract becomes effectively deadlocked after emergency withdrawal, requiring manual intervention or contract redeployment to restore functionality.
Recommendations
Add state cleanup to the emergency withdrawal function.
Lead Judging Commences
veRAACToken::emergencyWithdraw doesn't update checkpoint - innacurate historical voting power, inconsistent state
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.