The claim
function in the VestedAirdrop.vy
contract allows users to withdraw vested tokens without any requirement for work, staking, or investment. This design flaw can result in continuous token depletion without any mechanism to sustain or generate revenue for the protocol.
** Unlimited Free Claims**: Users receive tokens over time without providing any value to the protocol.
Economic Drain: The protocol distributes tokens without any revenue-generating mechanism, leading to depletion.
Sybil Attack Risk: Malicious actors could create multiple wallets and claim tokens without cost.
Potential Exploit Vector: Attackers could drain the protocol’s token reserves by claiming tokens repeatedly across multiple wallets.
Affected Code:
No Staking or Locking Mechanism:
The contract does not require users to stake, lock, or contribute anything before claiming tokens.
Unconditional Token Distribution:
Once the vesting period starts, users can claim tokens without any action or cost.
No Activity or Participation Requirement:
The claim function does not check if the user has provided liquidity, staked tokens, or performed any work before receiving rewards.
Airdrop Draining Attack
An attacker identifies the protocol’s vesting logic and creates thousands of wallets.
They generate valid Merkle proofs (if the system allows arbitrary claims).
They continuously claim tokens across multiple wallets, draining the protocol’s token supply.
No Revenue, Continuous Token Loss
Since the protocol does not generate income, it loses tokens every time a claim is made.
This could lead to total depletion of the token supply, harming long-term sustainability.
manual review
Require Staking or Work for Token Claims
Users should stake tokens or provide liquidity before they can claim vested rewards.
Introduce an Activity-Based Vesting Model
Instead of time-based vesting alone, require users to perform an action (e.g., governance participation, liquidity provision).
Add a Contribution Tracking Mechanism
Before allowing claims, check if the user has provided value to the protocol.
Implement proof-of-identity measures or require a minimum stake before allowing claims.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.