Submission Details
Severity:
emergencyRevoke() in RAACReleaseOrchestrator ignores GRACE_PERIOD implementation
Description
A GRACE_PERIOD of 7 days is specified in the contract:
File: contracts/core/minters/RAACReleaseOrchestrator/RAACReleaseOrchestrator.sol
47: uint256 public constant GRACE_PERIOD = 7 days;
However, when emergencyRevoke() is called it makes no room for this GRACE_PERIOD:
File: contracts/core/minters/RAACReleaseOrchestrator/RAACReleaseOrchestrator.sol
126: function emergencyRevoke(address beneficiary) external onlyRole(EMERGENCY_ROLE) {
127: VestingSchedule storage schedule = vestingSchedules[beneficiary];
128: if (!schedule.initialized) revert NoVestingSchedule();
129:
130: uint256 unreleasedAmount = schedule.totalAmount - schedule.releasedAmount;
131: delete vestingSchedules[beneficiary];
132:
133: if (unreleasedAmount > 0) {
134: raacToken.transfer(address(this), unreleasedAmount);
135: emit EmergencyWithdraw(beneficiary, unreleasedAmount);
136: }
137:
138: emit VestingScheduleRevoked(beneficiary);
139: }
Impact
Admin can immediately revoke a user's vesting schedule & amount without warning.
Mitigation
Implement a timelock such that first a scheduleEmergencyRevoke() function needs to be called and then emergencyRevoke() can be called only after a delay of GRACE_PERIOD.
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420 USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.