Submission Details
Severity:
Emergency withdrawal does not store the withdrawer's checkpoint
Summary
Emergency withdrawal does not store the withdrawer's checkpoint
Vulnerability Details
Upon withdrawing (and pretty much all other operations), we have the following code:
function withdraw() external nonReentrant {
...
_checkpointState.writeCheckpoint(msg.sender, 0);
...
}
The checkpoint writing is extremely important for proper state management. However, upon emergency withdrawing:
function emergencyWithdraw() external nonReentrant {
if (emergencyWithdrawDelay == 0 || block.timestamp < emergencyWithdrawDelay) revert EmergencyWithdrawNotEnabled();
LockManager.Lock memory userLock = _lockState.locks[msg.sender];
if (userLock.amount == 0) revert NoTokensLocked();
uint256 amount = userLock.amount;
uint256 currentPower = balanceOf(msg.sender);
delete _lockState.locks[msg.sender];
delete _votingState.points[msg.sender];
// @audit doesn't do the writeCheckpoint call done on regular withdrawals
_burn(msg.sender, currentPower);
raacToken.safeTransfer(msg.sender, amount);
emit EmergencyWithdrawn(msg.sender, amount);
}
We do not store the checkpoint here at all.
Impact
Checkpoint is not stored, state will be incorrect.
Tools Used
Manual Review
Recommendations
Store a checkpoint upon emergency withdrawing too
Updates
Lead Judging Commences
inallhonesty 7 months ago
Submission Judgement Published Assigned finding tags:
veRAACToken::emergencyWithdraw doesn't update checkpoint - innacurate historical voting power, inconsistent state
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420
USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.