Submission Details
Severity:
Redundant and Potentially Failing Self-Transfer in RAACReleaseOrchestrator which allow beneficiary front-running
Summary
RAACReleaseOrchestrator::emergencyRevoke transfer RAAC to itself when revoking a schedule. It's useless and can revert for nothing
Vulnerability Details
function emergencyRevoke(address beneficiary) external onlyRole(EMERGENCY_ROLE) {
VestingSchedule storage schedule = vestingSchedules[beneficiary];
if (!schedule.initialized) revert NoVestingSchedule();
uint256 unreleasedAmount = schedule.totalAmount - schedule.releasedAmount;
delete vestingSchedules[beneficiary];
if (unreleasedAmount > 0) {
raacToken.transfer(address(this), unreleasedAmount); // useless and can revert
emit EmergencyWithdraw(beneficiary, unreleasedAmount);
}
emit VestingScheduleRevoked(beneficiary);
}
Protocol wants to revoke a malicious beneficiary that has pending rewards
RAACReleaseOrchestrator has no raacToken
Protocol sends Raac to orchestrator to be able to emergencyRevoke()
Malicious beneficiary front-run Protocol by calling
release()and get part or all of his schedule
Impact
Potential reversion if contract do not have tokens
Front running possible from malicious beneficiary
Tools Used
Recommendations
Remove the self transfer.
Updates
Lead Judging Commences
inallhonesty 6 months ago
Submission Judgement Published Assigned finding tags:
RAACReleaseOrchestrator::emergencyRevoke sends revoked tokens to contract address with no withdrawal mechanism, permanently locking funds
inallhonesty 6 months ago
Submission Judgement Published Assigned finding tags:
RAACReleaseOrchestrator::emergencyRevoke sends revoked tokens to contract address with no withdrawal mechanism, permanently locking funds
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420
USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.