Submission Details
Severity:
categoryUsed is not updated when revokes a vesting schedule in RAACReleaseOrchestrator
Summary
categoryUsed is not updated when revokes a vesting schedule in RAACReleaseOrchestrator.
Vulnerability Details
When emergencyRevoke() is called to revoke a vesting schedule, the corresponding schedule is deleted from vestingSchedules.
RAACReleaseOrchestrator::emergencyRevoke()
function emergencyRevoke(address beneficiary) external onlyRole(EMERGENCY_ROLE) {
VestingSchedule storage schedule = vestingSchedules[beneficiary];
if (!schedule.initialized) revert NoVestingSchedule();
uint256 unreleasedAmount = schedule.totalAmount - schedule.releasedAmount;
delete vestingSchedules[beneficiary];
if (unreleasedAmount > 0) {
raacToken.transfer(address(this), unreleasedAmount);
emit EmergencyWithdraw(beneficiary, unreleasedAmount);
}
emit VestingScheduleRevoked(beneficiary);
}
However, categoryUsed is not updated while it should be supplement by the unreleased amount.
Impact
Incorrect accounting of categoryUsed.
Tools Used
Manual Review
Recommendations
When a vesting schedule is revoked, add the unreleased amount back to categoryUsed.
Updates
Lead Judging Commences
inallhonesty 7 months ago
Submission Judgement Published Assigned finding tags:
RAACReleaseOrchestrator::emergencyRevoke fails to decrement categoryUsed, causing artificial category over-allocation and rejection of valid vesting schedules
inallhonesty 7 months ago
Submission Judgement Published Assigned finding tags:
RAACReleaseOrchestrator::emergencyRevoke fails to decrement categoryUsed, causing artificial category over-allocation and rejection of valid vesting schedules
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420
USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.