Time gap between _emergencyTimelock with EMERGENCY_WITHDRAW_ACTION and emergencyWithdrawDelay
Summary
When owner shedule emergency action EMERGENCY_WITHDRAW_ACTION, it sets current timestamp into _emergencyTimelock variable. After that, when owner call enableEmergencyWithdraw(), emergencyWithdrawDelay sets as current timestamp + EMERGENCY_DELAY, intead using initial value from _emergencyTimelock variable + EMERGENCY_DELAY*2.
If owner call enableEmergencyWithdraw() later than it becomes available, for example by an hour, then for an hour longer users will not be able to call the emergencyWithdraw function.
Vulnerability Details
Owner call scheduleEmergencyAction(EMERGENCY_WITHDRAW_ACTION).
2 . When time is _emergencyTimelock[actionId] + EMERGENCY_DELAY + 1 hour(for example), owenr call enableEmergencyWithdraw(). This function set time, when users can start call emergencyWithdraw function. It uses current timestamp! Its problem.
Because, if owner call enableEmergencyWithdraw() after 1 hour, than it could be possible to call, users could call emergencyWithdraw() also an hour later.
Impact
In emergency situations, every minute is important for saving funds. But users could call emergencyWithdraw() with time gap, which has creates from time between when owner can call enableEmergencyWithdraw() and really call.
Tools Used
Manual review
Recommendations
Do not use blocl.timestamp in enableEmergencyWithdraw().
Lead Judging Commences
veRAACToken implements two consecutive 3-day emergency delays (totaling 6 days), hindering timely emergency response when funds need to be withdrawn quickly
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.