Unrecoverable Tokens Due to Incorrect Transfer in emergencyRevoke
Summary
The emergencyRevoke function transfers unreleased tokens to the contract itself (address(this)). However, there is no function to recover these tokens, causing them to become permanently locked in the contract.
Vulnerability Details
When emergencyRevoke is called, the remaining unvested tokens of a revoked beneficiary are transferred to the contract:
Problem: The contract lacks a mechanism to withdraw or reallocate these tokens.
As a result, tokens are permanently stuck in the contract, making them unrecoverable unless an external upgrade or admin intervention is performed.
Impact
Locked Funds: Any tokens revoked through emergencyRevoke become permanently inaccessible.
Tools Used
Manual Code Review
Recommendations
Add a function to allow the admin to recover stuck tokens.
Lead Judging Commences
RAACReleaseOrchestrator::emergencyRevoke sends revoked tokens to contract address with no withdrawal mechanism, permanently locking funds
RAACReleaseOrchestrator::emergencyRevoke sends revoked tokens to contract address with no withdrawal mechanism, permanently locking funds
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.