Vyper Vested Claims

First Flight #34
Beginner FriendlyDeFi
100 EXP
View results
Submission Details
Severity: high
Invalid

Missing Validation in Vesting Period Initialization

Summary

The contract's constructor lacks a check to ensure that vesting_end_time is set after vesting_start_time. If these values are equal or vesting_end_time is earlier, the vesting duration calculation results in a division by zero error, rendering the contract inoperable.

Vulnerability Details

In the _calculate_vested_amount function, the vesting duration is calculated as end_time - start_time. If end_time is not greater than start_time, this results in a duration of zero, leading to a division by zero when computing the linear vesting portion. This error causes all claim transactions to revert, preventing users from claiming tokens.

Impact

If the contract is deployed with invalid vesting times, the entire vesting mechanism fails. Users cannot claim any tokens, and the contract's functionality is permanently impaired. The owner can rescue tokens, but the primary purpose of the contract is defeated.

Tools Used

Manual code review.

Recommendations

Add a validation check in the constructor to ensure vesting_end_time is strictly greater than vesting_start_time:

@deploy
def __init__(...):
...
assert vesting_end_time > vesting_start_time, "Invalid vesting period"
...
Updates

Appeal created

bube Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.