`RAACReleaseOrchestrator::emergencyRevoke()` performs meaningless token transfer
Summary
The RAACReleaseOrchestrator::emergencyRevoke() function performs an unnecessary token transfer, sending tokens from the contract to itself, which has no effect on the token balance but incurs unnecessary gas costs.
Vulnerability Details
As indicated by the @> mark in the code, the contract executes a token transfer where the recipient is address(this), meaning the contract is transferring tokens to itself. This operation serves no functional purpose.
The contract calls raacToken.transfer(address(this), unreleasedAmount);, effectively transferring tokens from itself to itself.
In standard ERC-20 implementations, the transfer function typically follows this logic:
Since msg.sender == address(this), the function will deduct the contract’s balance and then immediately add the same amount back, resulting in no actual change in token ownership.
Despite having no functional impact, the operation still consumes gas, making it an entirely redundant transaction.
Impact
The unnecessary token transfer wastes gas without achieving any meaningful result.
While it does not directly affect contract functionality, it introduces inefficiencies in transaction execution.
Tools Used
Manual Review
Recommendations
Remove or replace raacToken.transfer(address(this), unreleasedAmount); with a meaningful operation, such as redistributing or reallocating the revoked tokens if needed.
Lead Judging Commences
RAACReleaseOrchestrator::emergencyRevoke sends revoked tokens to contract address with no withdrawal mechanism, permanently locking funds
RAACReleaseOrchestrator::emergencyRevoke sends revoked tokens to contract address with no withdrawal mechanism, permanently locking funds
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.