Vyper Vested Claims

First Flight #34
Beginner FriendlyDeFi
100 EXP
View results
Submission Details
Severity: high
Invalid

Incorrect Vesting Calculation (Potential Overclaim)

Summary

The function _calculate_vested_amount in VestedAirdrop.vy contract blindly accepts total_amount as an input.

  • There is no verification that total_amount is correct or matches the real allocated amount.

  • A malicious user can pass a fake total_amount to claim more tokens than they should.

  • Since _calculate_vested_amount(total_amount) calculates the vested amount based on this input, an attacker can overclaim tokens.

Vulnerability Details

The vesting contract does not store total_amount per user.

  • Instead, it relies on user-supplied input (total_amount) when calculating vested tokens.

  • The attacker realizes that by passing a fake high value for total_amount, they can increase their claimable tokens.

  • By repeatedly calling claim(), the attacker quickly drains all vesting funds before legitimate users can access them.

Impact

  • A user can pass an arbitrary total_amount and claim more tokens than they are entitled to

  • Massive token drain by malicious actors

Tools Used

manual review

Recommendations

** validate** total_amount against an immutable allocation stored in the contract.

  • Instead of allowing the user to pass total_amount, retrieve it from a stored mapping:

def claim(user: address, proof: DynArray[bytes32, 20]) -> bool:
total_amount: uint256 = self.allocated_amount[user] # Retrieve stored allocation
assert total_amount > 0, "User not allocated"
vested: uint256 = self._calculate_vested_amount(total_amount)
Updates

Appeal created

bube Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.