Core Contracts

Summary

The veRAACToken contract defines a boolean variable emergencyUnlockEnabled intended to indicate whether emergency unlock is enabled. However, this variable is never referenced in any function that controls emergency withdrawal behavior. As a result, its existence does not impact the contract's operation, and its intended purpose is unclear.

Vulnerability Details

The variable is declared as follows:

It is only modified in the executeEmergencyUnlock function:

However, no function (including emergencyWithdraw) checks the state of emergencyUnlockEnabled to conditionally allow or restrict actions.

Impact

In a crisis scenario, the inability to verify whether emergency unlock has been enabled may prevent the protocol from executing additional emergency controls. This could expose locked funds to unforeseen risks. Furthermore, the presence of an unused state variable can mislead developers and auditors regarding the intended emergency control mechanisms, reducing overall confidence in the protocol’s robustness. Lastly, properly utilizing this variable could allow the protocol to enforce additional checks during emergency conditions (e.g., in emergencyWithdraw), thereby improving security and fund safety.

Tools Used

• Manual code review

Recommended Mitigation

• Integrate the Variable into Critical Functions:
  Modify the emergencyWithdraw function (or any other appropriate function) to check the value of emergencyUnlockEnabled. For example, the function could include a requirement such as:

  require(emergencyUnlockEnabled, "Emergency unlock not enabled");

  This would ensure that emergency withdrawals only proceed when explicitly permitted by an owner-controlled emergency unlock.