Vyper Vested Claims

First Flight #34
Beginner FriendlyDeFi
100 EXP
View results
Submission Details
Severity: high
Invalid

Lack of Work or Investment Requirement in Vested Claim Function

Summary

The claim function in the VestedAirdrop.vy contract allows users to withdraw vested tokens without any requirement for work, staking, or investment. This design flaw can result in continuous token depletion without any mechanism to sustain or generate revenue for the protocol.

Vulnerability Details

Impact

  • ** Unlimited Free Claims**: Users receive tokens over time without providing any value to the protocol.

  • Economic Drain: The protocol distributes tokens without any revenue-generating mechanism, leading to depletion.

  • Sybil Attack Risk: Malicious actors could create multiple wallets and claim tokens without cost.

  • Potential Exploit Vector: Attackers could drain the protocol’s token reserves by claiming tokens repeatedly across multiple wallets.

Affected Code:

def claim(user: address, total\_amount: uint256, proof: DynArray\[bytes32, 20]) -> bool:
assert self.verify\_proof(user, total\_amount, proof), "Invalid proof"
assert block.timestamp >= self.vesting\_start\_time, "Too early"
current_amount: uint256 = self.claimed_amount[user]
vested: uint256 = self._calculate_vested_amount(total_amount)
claimable: uint256 = vested - current_amount if vested > current_amount else 0
assert claimable > 0, "Nothing to claim"
self.claimed_amount[user] += claimable # Update state before transfer
assert self.claimed_amount[user] <= total_amount, "Overclaim"
log Claimed(user, claimable) # Emit event
_success: bool = extcall IERC20(self.token).transfer(user, claimable)
assert _success, "Transfer failed"
return True

Root Cause of the Issue

  • No Staking or Locking Mechanism:

    • The contract does not require users to stake, lock, or contribute anything before claiming tokens.

  • Unconditional Token Distribution:

    • Once the vesting period starts, users can claim tokens without any action or cost.

  • No Activity or Participation Requirement:

    • The claim function does not check if the user has provided liquidity, staked tokens, or performed any work before receiving rewards.

Exploitation Scenario

  1. Airdrop Draining Attack

    • An attacker identifies the protocol’s vesting logic and creates thousands of wallets.

    • They generate valid Merkle proofs (if the system allows arbitrary claims).

    • They continuously claim tokens across multiple wallets, draining the protocol’s token supply.

  2. No Revenue, Continuous Token Loss

    • Since the protocol does not generate income, it loses tokens every time a claim is made.

    • This could lead to total depletion of the token supply, harming long-term sustainability.


Tools Used

manual review

Recommendations

Require Staking or Work for Token Claims

  • Users should stake tokens or provide liquidity before they can claim vested rewards.

Introduce an Activity-Based Vesting Model

  • Instead of time-based vesting alone, require users to perform an action (e.g., governance participation, liquidity provision).

Add a Contribution Tracking Mechanism

  • Before allowing claims, check if the user has provided value to the protocol.

  • Implement proof-of-identity measures or require a minimum stake before allowing claims.

Updates

Appeal created

bube Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.