Emergency withdrawals stay enabled forever
Summary
Once emergency withdrawals get enabled they cannot get disabled, which gives users the opportunity to withdraw before the lock period has ended.
Vulnerability Details
In the veRAACToken contract, the owner can enable emergency withdrawals using the enableEmergencyWithdraw function. After the EMERGENCY_DELAY has passed anyone can call emergencyWithdraw which allows anyone to withdraw.
Current check allows permanent emergency withdrawal:
Impact
Critical: After an emergency, the veRAACToken contract will no longer be working as intended and anyone would be able to bypass the lock. Emergencies are possible in any protocol and the first emergency would completely break the functionality of the contract, which makes this a high severity issue.
Recommendations
The current emergency flow is:
OFF -> enableEmergencyWithdraw -> 3 day delay (EMERGENCY_DELAY) -> ON forever
The owner should be able to cancel the emergency by adding a function to switch it off or by introducing a limited window for emergency withdrawals:
OFF -> enableEmergencyWithdraw -> 3 day delay (EMERGENCY_DELAY) -> ON -> function to switch it OFF
OR
OFF -> enableEmergencyWithdraw -> 3 day delay (EMERGENCY_DELAY) -> ON for specific window -> OFF
Lead Judging Commences
veRAACToken::emergencyWithdraw permanently enables lock-bypassing after activation with no way to disable it, permanently breaking token time-locking functionality
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.