Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

veRAACToken Can Be Transferred, Violating Core Protocol Constraints

bbash

Summary

The veRAACToken.sol contract is designed as a non-transferable governance token. However, the current implementation allows transfers because the transfer and transferFrom functions still call the parent ERC20 implementation. This contradicts the protocol’s intended design and documentation, which states that veRAAC tokens should be strictly non-transferable.

Vulnerability Details

These are the transfer and transferFrom functions from the veRAACToken.sol contract: https://github.com/Cyfrin/2025-02-raac/blob/main/contracts/core/tokens/veRAACToken.sol#L457-L478

/**
* @notice Transfers veRAAC tokens to another address
* @dev Overrides ERC20 transfer to implement transfer restrictions
* @param to The recipient address
* @param amount The amount to transfer
* @return success Always reverts as veRAAC tokens are non-transferable
*/
function transfer(address to, uint256 amount) public virtual override(ERC20, IveRAACToken) returns (bool) {
return super.transfer(to, amount);
}
/**
* @notice Transfers veRAAC tokens from one address to another
* @dev Overrides ERC20 transferFrom to implement transfer restrictions
* @param from The sender address
* @param to The recipient address
* @param amount The amount to transfer
* @return success Always reverts as veRAAC tokens are non-transferable
*/
function transferFrom(address from, address to, uint256 amount) public virtual override(ERC20, IveRAACToken) returns (bool) {
return super.transferFrom(from, to, amount);
}

The problem is that both functions invoke super.transfer() and super.transferFrom(), which execute as standard ERC20 transfers. Since ERC20 does not inherently enforce non-transferability, this allows veRAAC tokens to be freely transferred, contrary to the comments, protocol documentation and intended behavior.

Impact

Impact: High – veRAAC tokens are supposed to be non-transferable, which is a fundamental property of the governance system. Allowing transfers can lead to governance manipulation and undermine the system.

Likelihood: High– Since the contract does not restrict transfers, any token holder can unknowingly or maliciously transfer tokens.

Severity: High – This breaks core protocol functionality.

Tools Used

Manual Review

Recommendations

To strictly enforce non-transferability, update the transfer and transferFrom functions as follows:

function transfer(address to, uint256 amount) public virtual override(ERC20, IveRAACToken) returns (bool) {
revert("veRAAC tokens are non-transferable");
}
function transferFrom(address from, address to, uint256 amount) public virtual override(ERC20, IveRAACToken) returns (bool) {
revert("veRAAC tokens are non-transferable");
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 6 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.