Submission Details
Severity:
Emergency revoke function will not work in the RAAC orchestrator contract
Vulnerability Details
/**
* @notice Emergency revoke of vesting schedule
* @param beneficiary Address of the beneficiary to revoke
* @dev Only callable by EMERGENCY_ROLE - Do we really want to allow this in the first place, would need more move too ?
*/
function emergencyRevoke(address beneficiary) external onlyRole(EMERGENCY_ROLE) {
VestingSchedule storage schedule = vestingSchedules[beneficiary];
if (!schedule.initialized) revert NoVestingSchedule();
uint256 unreleasedAmount = schedule.totalAmount - schedule.releasedAmount;
delete vestingSchedules[beneficiary];
if (unreleasedAmount > 0) {
@> raacToken.transfer(address(this), unreleasedAmount);
emit EmergencyWithdraw(beneficiary, unreleasedAmount);
}
emit VestingScheduleRevoked(beneficiary);
}
Basically the emergency role account is revoking a vesting schedule for a given beneficiary. The problem is that after the unreleased amount is calculated it's trying to transfer the raac tokens from itself to itself, which has no effect.
Impact
Medium, one of the core functions of theRAACReleaseOrchestratorsimply doesn't work. If it's protocol decision or a real emergency case, simply nothing can be done to stop the vesting process, which can even lead to loss of funds.
Tools Used
Manual Review
Recommendations
Raac tokens should be transfered to caller or some treasury address
Updates
Lead Judging Commences
inallhonesty 4 months ago
Submission Judgement Published Assigned finding tags:
RAACReleaseOrchestrator::emergencyRevoke sends revoked tokens to contract address with no withdrawal mechanism, permanently locking funds
inallhonesty 4 months ago
Submission Judgement Published Assigned finding tags:
RAACReleaseOrchestrator::emergencyRevoke sends revoked tokens to contract address with no withdrawal mechanism, permanently locking funds
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420 USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.