Assessment reports>Rujira>Critical findings>Withdrawal does not send tokens
Category: Coding Mistakes

Withdrawal does not send tokens

Critical Severity
Critical Impact
High Likelihood

Description

The function responsible for withdrawing $RUJI from the protocol does not add a message sending the tokens to the user withdrawing.

#[cfg_attr(not(feature = "library"), entry_point)]
pub fn execute(...)
    ...
    ExecuteMsg::Withdraw { share_amount } => {
        nonpayable(&info)?;
        let amount = execute_withdraw(deps.storage, &config, time, &info.sender, share_amount)?;
        Ok(Response::default().add_event(
            Event::new("merge/withdraw")
                .add_attribute("account", info.sender)
                .add_attribute("shares", share_amount)
                .add_attribute("amount", amount),
        ))
    }
    ...
}

Impact

Users will not get their funds.

Recommendations

Add the relevant logic to send $RUJI to users withdrawing.

Remediation

Ruji Holdings remediated this issue in commit 86990dc0 by editing the relevant logic which adds BankMsg::Send to the response.

Zellic © 2025Back to top ↑