Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

Missing whenNotPaused modifier on withdraw function allows token withdrawals during emergency

dobrevaleri

Summary

The veRAACToken::withdraw() function lacks the whenNotPaused modifier that is present on other user-facing functions, allowing users to withdraw their RAAC tokens even when the contract is paused for emergency.

Vulnerability Details

The contract implements a pausing mechanism for emergency situations, where all user interactions should be halted. This is enforced through the whenNotPaused modifier on functions like lock(), increase(), and extend(). However, the withdraw() function is missing this critical modifier:

function withdraw() external nonReentrant {
// Missing whenNotPaused modifier
LockManager.Lock memory userLock = _lockState.locks[msg.sender];
if (userLock.amount == 0) revert LockNotFound();
if (block.timestamp < userLock.end) revert LockNotExpired();
// ... withdrawal logic
}

This oversight means that even when the contract is paused due to an emergency, users can still withdraw their tokens, potentially undermining the purpose of the emergency pause.

Impact

  • During an emergency pause meant to prevent any token movements, users can still withdraw their RAAC tokens

  • This could disrupt emergency response procedures

  • The pausing mechanism becomes partially ineffective as a security control

Recommendations

Add whenNotPaused modifier

- function withdraw() external nonReentrant {
+ function withdraw() external nonReentrant whenNotPaused {
Updates

Lead Judging Commences

inallhonesty Lead Judge about 2 months ago
Submission Judgement Published
Validated
Assigned finding tags:

veRAACToken::withdraw lacks whenNotPaused

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.