Summary

emergencyRevoke function in RAACReleaseOrchestrator.sol incorrectly transfers revoked tokens to the contract itself (address(this)) instead of the intended administrative role.

Vulnerability Details

The emergencyRevoke function, designed to be callable by the EMERGENCY_ROLE, currently transfers unreleased tokens from a revoked vesting schedule to the contract's own address (address(this)). This behavior is counterintuitive for an emergency revocation, as it does not return the tokens to the control of the emergency administrator or a designated recovery address. It effectively locks the tokens within the contract.

Code Snippet:

The line raacToken.transfer(address(this), unreleasedAmount); directs the unreleased tokens to the contract itself.

Impact

• Loss of Control over Revoked Tokens: The EMERGENCY_ROLE does not gain control of the revoked tokens, hindering emergency management capabilities.

• Unexpected Token Destination: Tokens are sent to the contract address, which is not a logical destination for revoked funds in an emergency scenario.

Tools Used

Manual code review.

Recommendations

Modify the emergencyRevoke function to transfer the unreleasedAmount to a more appropriate address, such as:

1. msg.sender (Emergency Role Initiator): Transfer tokens to the address of the account with the EMERGENCY_ROLE that called the function.

2. Designated Recovery Address: Introduce a configurable recoveryAddress (potentially settable by DEFAULT_ADMIN_ROLE) and transfer revoked tokens to this address.

3. Treasury Address: Transfer revoked tokens to a designated treasury address for protocol funds management.

Also, consider renaming the EmergencyWithdraw event to TokensRevokedAndReclaimed or similar to better reflect the function's action.