Summary

The entire VestedAirdrop.vy smart contract lacks an emergency stop mechanism, meaning there is no way to pause claims in case of a critical issue such as token malfunction or exploit. While the contract owner can rescue tokens, users can still claim funds from a broken state before fixes are applied, leading to potential loss of funds, unfair token distribution, or protocol abuse.

Since smart contracts are immutable once deployed, any flaw discovered post-deployment becomes a critical risk, and without a pause mechanism, the team has no immediate way to stop ongoing claims while working on a fix.

Vulnerability Details

No pause() function

• The contract does not include a paused state that would disable claims when necessary.

• As a result, even if a critical issue is found, claims will continue processing, leading to potential loss of funds.

• Users Can Claim Funds Even in a Broken State

  • If the Merkle root is incorrect, users might claim tokens they do not deserve.

  • If the token contract is compromised, claims may be redirected to a malicious party.

• No Admin-Controlled Pause Option

  • The contract owner can only update Merkle roots and rescue tokens, but not prevent ongoing claims during a fix.

  • This leaves the contract vulnerable to exploitation during response time.

Impact

Users may claim unfair amounts before an issue is fixed, leading to financial imbalances.

Tools Used

manual review

Recommendations

Implement an Emergency Stop (pause) Function

A simple paused state should be introduced to temporarily disable claims when needed.