Vyper Vested Claims

First Flight #34
Beginner FriendlyDeFi
100 EXP
View results
Submission Details
Severity: low
Invalid

No input checks in set_merkle_root leading to DoS

Summary

Currently there is no checks when the owner calls set_merkle_root and changes the merkle_root value, this can end up with DoS

Vulnerability Details

merkle_root

  • can be accidently set to current value instead of new

  • can be set to wrong merkle root

Impact

can cause blocking claim function making it revert for everyone due to wrong or old merkle root

Tools Used

Manual review

Recommendations

Keeping track of the previous merkle roots can prevent human error and mistakenly setting old/wrong root

[...]
vesting_start_time: public(uint256)
vesting_end_time: public(uint256)
merkle_root: public(bytes32)
token: public(address)
owner: public(address)
claimed_amount: public(HashMap[address, uint256])
+ previous_roots public(HashMap[bytes32 bool])
[...]
@external
def set_merkle_root(merkle_root: bytes32):
[...]
self.onlyOwner()
+ assert not self.previous_roots[new_root], "merkle_root has already been used"
+ assert merkle_root != self.merkle_root, "New merkle_root must be different from current"
self.merkle_root = merkle_root
log MerkleRootUpdated(merkle_root)

Also off-chain verification of the new root will significantly lower the chance of setting setting old/wrong root

Updates

Appeal created

bube Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

[Invalid] No checks in `set_merkle_root` function

The `set_merkle_root` function is called only by the `owner` and the `owner` is trusted. This means the input argument `merkle_root` will be correct and the `owner` will not call again the `set_merkle_root` function.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.