Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

The veRAACToken shouldn't be transferable.

anirruth

Summary

The documentation states that the veRAACToken implements a Non-transferable token mechanics.

But in the code there is a mecanism to transfer token to a different account.

Vulnerability Details

/**

* @notice Transfers veRAAC tokens to another address

* @dev Overrides ERC20 transfer to implement transfer restrictions

* @param to The recipient address

* @param amount The amount to transfer

* @return success Always reverts as veRAAC tokens are non-transferable

function transfer(address to, uint256 amount) public virtual override(ERC20, IveRAACToken) returns (bool) {

return super.transfer(to, amount);

}

/**

* @notice Transfers veRAAC tokens from one address to another

* @dev Overrides ERC20 transferFrom to implement transfer restrictions

* @param from The sender address

* @param to The recipient address

* @param amount The amount to transfer

* @return success Always reverts as veRAAC tokens are non-transferable

function

(address from, address to, uint256 amount) public virtual override(ERC20, IveRAACToken) returns (bool) {

return super.transferFrom(from, to, amount);

}

The function allows anyone to transfer the tokens.

The transferFrom allows an attacker to transfer token from any account to their own account since there isn't a check to confirm the address calling the function is `address from`.

The comment states that `@return success Always reverts as veRAAC tokens are non-transferable` but there is no implementation to revert the transfer call.

Impact

An attacker can steal veRAACTokens from anyone due to missing check that the msg.sender is from address.
Can pass any vote. This can be achieved by voting from one address then transferring the veRAACTokens to another address to vote from.

Recommendations

Revert on transfer.

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.