Submission Details
Severity:
`RAACReleaseOrchestrator` Has No Source of `raacToken`
Summary
The RAACReleaseOrchestrator contract releases raacTokens. However, there is no source of raacToken.
Vulnerability Details
The RAACReleaseOrchestrator.release() function transfers raacTokens to the beneficiary. However, we cannot see how the contract holds raacTokens. Due to the absence of a source for raacToken, releasing them is impossible.
function release() external nonReentrant whenNotPaused {
address beneficiary = msg.sender;
VestingSchedule storage schedule = vestingSchedules[beneficiary];
if (!schedule.initialized) revert NoVestingSchedule();
uint256 releasableAmount = _calculateReleasableAmount(schedule);
if (releasableAmount == 0) revert NothingToRelease();
schedule.releasedAmount += releasableAmount;
schedule.lastClaimTime = block.timestamp;
117 raacToken.transfer(beneficiary, releasableAmount);
emit TokensReleased(beneficiary, releasableAmount);
}
Impact
Releasing is impossible due to the lack of a source for raacToken.
Tools Used
Manual review
Recommendations
Implement logic for the RAACReleaseOrchestrator to hold the necessary raacTokens.
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420
USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.