scheduleEmergencyAction does not account for the emergency delay
Summary
The scheduleEmergencyAction function within veRAACToken.sol is rather simple. It allows the owner to schedule an emergency action with the EMERGENCY_DELAY.
Vulnerability Details
However, when setting the _emergencyTimelock for a specific actionId, we set it directly to the current block.timestamp at the time of the execution of scheduleEmergencyAction. In reality, we should be accounting for the EMERGENCY_DELAY as intended by declaration, and by the usage. This is shown via the emit statement, where we account for the EMERGENCY_DELAY, yet within the actual assignment of the value we do not.
Impact
Emergency action is without an emergency delay, and can ultimately be executed without any intended delays. This is important because this mapping for the actionId is responsible for the scheduleTime within withEmergencyDelay modifier, for instance. It is also utilised when cancelling emergency actions, as well as when enabling emergency withdraw via enableEmergencyWithdraw.
Tools Used
Manual review
Recommendations
Assign the emergency delay to the current block.timestamp in order to account for the delay as intended.
Lead Judging Commences
veRAACToken implements two consecutive 3-day emergency delays (totaling 6 days), hindering timely emergency response when funds need to be withdrawn quickly
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.