Vyper Vested Claims
First Flight #34
Beginner FriendlyDeFi
100 EXP
View results
Previous Next
Submission Details
Severity: high
Invalid

Reentrancy Risk in claim() Due to External Call Before State Update

0x0107

Summary

The claim() function is vulnerable to a reentrancy attack because it transfers tokens to the user before updating the claimed amount. This allows a malicious contract to repeatedly call claim() and withdraw more tokens than intended.

Vulnerability Details

The claim() function processes token claims based on vesting schedules. However, it contains an external call to transfer tokens before updating the claimed_amount state variable:

# Transfer the claimable amount to the user - Interactions
_success: bool = extcall IERC20(self.token).transfer(user, claimable)
assert _success, "Transfer failed"
# Update the claimed amount - Effects
self.claimed_amount[user] += claimable

  • An attacker can deploy a malicious contract that calls claim().

  • In the fallback function, the contract re-enters claim() before the state is updated.

  • The attacker repeats this process, draining more tokens than intended.

Impact

  • Funds at Risk: The entire vesting contract balance could be drained.

  • Likelihood: High – An attacker can easily exploit this with a reentrant fallback function.

  • Privilege Required: Low – Any user eligible for vesting can attempt this exploit.

  • Complexity: Low – Requires only a simple smart contract with a fallback function.

Tools Used

Manual Review

Recommendations

Vyper does not support ReentrancyGuard, but we can use a simple lock mechanism

Updates

Appeal created

bube Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.