The emergencyRevoke
function in RAACReleaseOrchestrator contract transfers revoked tokens to the contract's own address (address(this)
) without any mechanism to withdraw these tokens, resulting in permanent token lockup.
The issue occurs because:
Tokens are transferred to address(this)
No withdrawal function exists to recover these tokens
No designated treasury address to receive revoked tokens
Contract lacks rescue functionality for stuck tokens
All tokens revoked through emergency procedures become permanently locked
Could affect significant portions of the total token supply
Financial loss equivalent to the value of locked tokens
Risk Rating: HIGH (permanent loss of assets)
Admin creates vesting schedule for user with 1000 tokens
Emergency role calls emergencyRevoke on user's schedule
1000 tokens get transferred to contract
No mechanism exists to withdraw these tokens
Tokens are permanently locked
Implement one of these solutions:
Add treasury address (Preferred):
Or add withdrawal mechanism:
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.