Lack of RAACToken Retrieval after emergencyRevoke.
Summary
The RAACReleaseOrchestrator contract features an emergency revoke of vesting schedule, which is used for cancel the vesting and it will send the unreleased amount to RAACReleaseOrchestrator, but theres no way to get RAACToken from the contract and stuck forever in it.
Vulnerability Details
In RAACReleaseOrchestrator contract ORCHESTRATOR_ROLE create vesting schedule with RAACReleaseOrchestrator::createVestingSchedule() and provide the necessary param for creating schedule. for some reason when emergencyRevoke functions is executed by EMERGENCY_ROLE and unreleased amount is non-zero then unreleased amount send to the contract and theres no way to retrieve RAACToken from it SLOC#126-139.
RAACToken sent to this contract is forever stuck in it and cannot be retrieved by anyone.
Impact
Loss of Funds: Tokens that are stuck in the contract can't be accessed or used, potentially resulting in irreversible loss for beneficiaries or the contract owner.
Tools Used
Manual Review
Recommended Mitigation
Create function to recover RAACTokens transferred to this contract by the owner or any other trusted entity specified in the contract.
Lead Judging Commences
RAACReleaseOrchestrator::emergencyRevoke sends revoked tokens to contract address with no withdrawal mechanism, permanently locking funds
RAACReleaseOrchestrator::emergencyRevoke sends revoked tokens to contract address with no withdrawal mechanism, permanently locking funds
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.