The function _calculate_vested_amount
in VestedAirdrop.vy
contract blindly accepts total_amount
as an input.
There is no verification that total_amount
is correct or matches the real allocated amount.
A malicious user can pass a fake total_amount to claim more tokens than they should.
Since _calculate_vested_amount(total_amount)
calculates the vested amount based on this input, an attacker can overclaim tokens.
The vesting contract does not store total_amount per user.
Instead, it relies on user-supplied input (total_amount
) when calculating vested tokens.
The attacker realizes that by passing a fake high value for total_amount, they can increase their claimable tokens.
By repeatedly calling claim(), the attacker quickly drains all vesting funds before legitimate users can access them.
A user can pass an arbitrary total_amount and claim more tokens than they are entitled to
Massive token drain by malicious actors
manual review
** validate** total_amount
against an immutable allocation stored in the contract.
Instead of allowing the user to pass total_amount
, retrieve it from a stored mapping:
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.