Core Contracts

Summary

The flow of an emergency withdraw in veRAAC contract is as follows:

• Call to scheduleEmergencyAction providing EMERGENCY_WITHDRAW_ACTION (keccak256("enableEmergencyWithdraw") as argument

  function scheduleEmergencyAction(bytes32 actionId) external onlyOwner {

  _emergencyTimelock[actionId] = block.timestamp;

  emit EmergencyActionScheduled(actionId, block.timestamp + EMERGENCY_DELAY);

  }

• After that, call to enableEmergencyWithdraw protected by the withEmergencyDelay modifier to make sure that 3 days (EMERGENCY_DELAY_) have passed since call to scheduleEmergencyAction. This function sets emergencyWithdrawalDelay storage variable to block.timestamp + EMERGENCY_DELAY.

  // @audit MEDIUM FINAL REPORT: double emergency delay applied (first in modifier requiring `scheduleEmergencyAction` to be called, then `emergencyWithdrawDelay`)

  function enableEmergencyWithdraw() external onlyOwner withEmergencyDelay(EMERGENCY_WITHDRAW_ACTION) {

  emergencyWithdrawDelay = block.timestamp + EMERGENCY_DELAY;

  emit EmergencyWithdrawEnabled(emergencyWithdrawDelay);

  }

• Finally, emergencyWithdraw makes sure that current block timestamp is greater than emergencyWithdrawalDelay

To resume, 6 days are required from decision to schedule an emergency withdraw procedure to actually enabling the emergency withdraw feature for users. This is incorrect and only one EMERGENCY_DELAY

Impact

The impact of this vulnerability is medium as it leads to incorrect delay in case of needs of an emergency withdraw procedure. Indeed, the documentation specifies "Emergency actions require 3-day delay", but currently, the emergency actions require 6-day delay.

Tools Used

Manual review

Recommendations

Make sure to rectify delay logic to only apply EMERGENCY_DELAY once in the procedure.