Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

ERC20.transfer() function is a well-known possible failure point, using it on the vesting release mechanism could lead to malfunction of the protocol

cj_w3

Summary

In RAACReleaseOrchestrator.sol, we encounter the release function. This function is used in the vesting mechanism and it uses the .transfer() function to transfer the release vested RAACTokens to the addresses that vested them. This function is a well-known for its many flaws in checks/compatibility issues. Incorrectly-setup contracts that are supposed to recieve the vested tokens could lead to them not recieving them.

Vulnerability Details

In RAACReleaseOrchestrator.sol:

function release() external nonReentrant whenNotPaused {
address beneficiary = msg.sender;
VestingSchedule storage schedule = vestingSchedules[beneficiary];
if (!schedule.initialized) revert NoVestingSchedule();
uint256 releasableAmount = _calculateReleasableAmount(schedule);
if (releasableAmount == 0) revert NothingToRelease();
schedule.releasedAmount += releasableAmount;
schedule.lastClaimTime = block.timestamp;
raacToken.transfer(beneficiary, releasableAmount); // @ This can fail!!! no checking the return value is REAL
emit TokensReleased(beneficiary, releasableAmount);
}

Where beneficiary is some external contract address that maybe does not have the correct implementation to recieve the tokens, etc.

Impact

IMPACT: Medium -> There could be many tokens lost are vests are usually high amounts of tokens

LIKELIHOOD: Low -> Users are already encouraged to be aware of this kind of issues but mistakes always can be done

Tools Used

Manual

Recommendations

Use oppenZeppelin safeTransfer function.

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.