Vyper Vested Claims

First Flight #34

Beginner FriendlyDeFi

100 EXP

View results

Previous Next

Submission Details

Severity: high

Invalid

Lack of Work or Investment Requirement in Vested Claim Function

rare__one

Summary

The claim function in the VestedAirdrop.vy contract allows users to withdraw vested tokens without any requirement for work, staking, or investment. This design flaw can result in continuous token depletion without any mechanism to sustain or generate revenue for the protocol.

Vulnerability Details

Impact

** Unlimited Free Claims**: Users receive tokens over time without providing any value to the protocol.

Economic Drain: The protocol distributes tokens without any revenue-generating mechanism, leading to depletion.
Sybil Attack Risk: Malicious actors could create multiple wallets and claim tokens without cost.
Potential Exploit Vector: Attackers could drain the protocol’s token reserves by claiming tokens repeatedly across multiple wallets.

Affected Code:

def claim(user: address, total\_amount: uint256, proof: DynArray\[bytes32, 20]) -> bool:

assert self.verify\_proof(user, total\_amount, proof), "Invalid proof"

assert block.timestamp >= self.vesting\_start\_time, "Too early"

current_amount: uint256 = self.claimed_amount[user]

vested: uint256 = self._calculate_vested_amount(total_amount)

claimable: uint256 = vested - current_amount if vested > current_amount else 0

assert claimable > 0, "Nothing to claim"

self.claimed_amount[user] += claimable # Update state before transfer

assert self.claimed_amount[user] <= total_amount, "Overclaim"

log Claimed(user, claimable) # Emit event

_success: bool = extcall IERC20(self.token).transfer(user, claimable)

assert _success, "Transfer failed"

return True

Root Cause of the Issue

No Staking or Locking Mechanism:
- The contract does not require users to stake, lock, or contribute anything before claiming tokens.
Unconditional Token Distribution:
- Once the vesting period starts, users can claim tokens without any action or cost.
No Activity or Participation Requirement:
- The claim function does not check if the user has provided liquidity, staked tokens, or performed any work before receiving rewards.

Exploitation Scenario

Airdrop Draining Attack
- An attacker identifies the protocol’s vesting logic and creates thousands of wallets.
- They generate valid Merkle proofs (if the system allows arbitrary claims).
- They continuously claim tokens across multiple wallets, draining the protocol’s token supply.
No Revenue, Continuous Token Loss
- Since the protocol does not generate income, it loses tokens every time a claim is made.
- This could lead to total depletion of the token supply, harming long-term sustainability.

Tools Used

manual review

Recommendations

Require Staking or Work for Token Claims

Users should stake tokens or provide liquidity before they can claim vested rewards.

Introduce an Activity-Based Vesting Model

Instead of time-based vesting alone, require users to perform an action (e.g., governance participation, liquidity provision).

Add a Contribution Tracking Mechanism

Before allowing claims, check if the user has provided value to the protocol.
Implement proof-of-identity measures or require a minimum stake before allowing claims.

Updates

Appeal created

bube Lead Judge 4 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

127

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.