Summary

The function _calculate_vested_amount in VestedAirdrop.vy contract blindly accepts total_amount as an input.

• There is no verification that total_amount is correct or matches the real allocated amount.

• A malicious user can pass a fake total_amount to claim more tokens than they should.

• Since _calculate_vested_amount(total_amount) calculates the vested amount based on this input, an attacker can overclaim tokens.

Vulnerability Details

The vesting contract does not store total_amount per user.

• Instead, it relies on user-supplied input (total_amount) when calculating vested tokens.

• The attacker realizes that by passing a fake high value for total_amount, they can increase their claimable tokens.

• By repeatedly calling claim(), the attacker quickly drains all vesting funds before legitimate users can access them.

Impact

• A user can pass an arbitrary total_amount and claim more tokens than they are entitled to

• Massive token drain by malicious actors

Tools Used

manual review

Recommendations

** validate** total_amount against an immutable allocation stored in the contract.

• Instead of allowing the user to pass total_amount, retrieve it from a stored mapping: