The entire VestedAirdrop.vy
smart contract lacks an emergency stop mechanism, meaning there is no way to pause claims in case of a critical issue such as token malfunction or exploit. While the contract owner can rescue tokens, users can still claim funds from a broken state before fixes are applied, leading to potential loss of funds, unfair token distribution, or protocol abuse.
Since smart contracts are immutable once deployed, any flaw discovered post-deployment becomes a critical risk, and without a pause mechanism, the team has no immediate way to stop ongoing claims while working on a fix.
No pause()
function
The contract does not include a paused
state that would disable claims when necessary.
As a result, even if a critical issue is found, claims will continue processing, leading to potential loss of funds.
Users Can Claim Funds Even in a Broken State
If the Merkle root is incorrect, users might claim tokens they do not deserve.
If the token contract is compromised, claims may be redirected to a malicious party.
No Admin-Controlled Pause Option
The contract owner can only update Merkle roots and rescue tokens, but not prevent ongoing claims during a fix.
This leaves the contract vulnerable to exploitation during response time.
Users may claim unfair amounts before an issue is fixed, leading to financial imbalances.
manual review
Implement an Emergency Stop (pause)
Function
A simple paused
state should be introduced to temporarily disable claims when needed.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.