Frontrunning Risk in Emergency Withdrawal and Reward Claiming
Summary
Users can frontrun an emergencyWithdraw call to claim their accumulated RAAC token rewards before their funds are forcefully withdrawn. This allows them to extract rewards that should not be accessible in an emergency state, leading to unfair token distribution.
Vulnerability Details
The
emergencyWithdraw()function can only be called by an address with theEMERGENCY_ROLE.
However, since it does not immediately lock reward claims, a user can monitor for an incoming emergency withdrawal transaction and call
claimRewards()before the contract state changes.This results in them claiming rewards they otherwise would not be able to access post-withdrawal.
Impact
Malicious users can extract RAAC token rewards by frontrunning the emergency event.
Tools Used
Manual review
Recommendations
In emergencyWithdraw(), forcefully distribute pending rewards and reset balances before executing the withdrawal.
Lead Judging Commences
FeeCollector::emergencyWithdraw sends all tokens to treasury without resetting collectedFees, breaking rewards and future distributions
FeeCollector::emergencyWithdraw sends all tokens to treasury without resetting collectedFees, breaking rewards and future distributions
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.