Missing Token Ownership Transfer Functions in RAACMinter Contract
****
Summary
The RAACMinter contract does not implement the required functions initiateRAACTokenOwnershipTransfer and completeRAACTokenOwnershipTransfer, which are necessary to enforce the 7-day lockup delay and the 24-hour window for completing RAAC token ownership transfers. This oversight allows RAAC token ownership to be transferred without any delay, violating the intended transfer mechanism.
Vulnerability Details
The RAACMinter contract is supposed to include a delay mechanism for transferring RAAC token ownership, involving a 7-day lockup period and a 24-hour window for completing the transfer. However, the functions to initiate and complete the transfer are missing. Without these functions, tokens can be transferred immediately, bypassing the lockup period.
Link to docs -> https://docs.raac.io/core/minters/RAACMinter
Impact
Bypassing Transfer Delay: The absence of the delay mechanism allows ownership transfers to occur without waiting for the intended 7-day lockup period, undermining the contract’s designed governance mechanism.
Tools Used
Manual code review
Recommendations
Implement Ownership Transfer Functions: Implement the
initiateRAACTokenOwnershipTransferandcompleteRAACTokenOwnershipTransferfunctions to enforce the 7-day delay and 24-hour completion window for RAAC token ownership transfers.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.