Vyper Vested Claims

First Flight #34
Beginner FriendlyDeFi
100 EXP
View results
Submission Details
Severity: medium
Invalid

VestedAirdrop.vy Analysis

**1. `VestedAirdrop.vy` Analysis:**

* **Merkle Proof Verification:**

* The `verify_proof` and `_verify_proof` functions seem generally sound. They correctly hash the leaf node and traverse the Merkle tree.

* However, the `_hash_pair` function is crucial. It ensures that the hashes are concatenated in lexicographical order, preventing malleability. This is good.

* **Vesting Logic:**

* The `_calculate_vested_amount` function calculates the vested amount based on the current time, start time, and end time.

* The calculation of `instant_release` and `linear_vesting` is straightforward.

* The linear vesting calculation `(linear_vesting * elapsed) // vesting_duration` could be subject to rounding errors, but in this case because the token has 18 decimals, the rounding errors are negligeable.

* The use of `block.timestamp` is generally acceptable, but it's important to be aware that block timestamps can be slightly manipulated by miners.

* **Claiming Mechanism:**

* The `claim` function verifies the proof, calculates the claimable amount, updates the `claimed_amount` mapping, and transfers the tokens.

* The assertion `assert current_amount + claimable <= total_amount, "Claimed amount exceeds total amount"` is a good safety check.

* The claim function can be called by anyone, for any user. This is an intended functionality, but could be used to grief users, by frontrunning their claim transactions.

* **Owner Privileges:**

* The `set_merkle_root` and `rescue_tokens` functions are correctly restricted to the owner.

* The `rescue_tokens` function is good practice.

* **claimable_amount function**

* The `claimable_amount` function states that it does not verify against the merkle root. This is a critical point. If the frontend is not validating the user input with the provided merkle proofs, then a user could request the claimable amount of a different user.

**2. `merkle_proofs.json` Analysis:**

* The `merkle_proofs.json` file contains the Merkle proofs and root.

* It's crucial to ensure that this file is generated and stored securely, as any modification could compromise the vesting process.

* The data within the Json should be validated to ensure that the addresses are valid ethereum addresses, and that the quantity fields are numbers.

* The Json should be validated against the calculated merkle root, to ensure that the root stored in the json is indeed the correct root.

**3. Potential Vulnerabilities:**

* **Front-Running Griefing:**

* The `claim` function allows anyone to claim for any user. An attacker could front-run a legitimate claim transaction, claiming the tokens before the intended user. This would grief the user, although not steal their tokens.

* **Frontend Data Validation:**

* The `claimable_amount` function does not validate the input against the merkle root. If the frontend uses this function without validating the input parameters, a user could obtain claimable amounts for other users. This is a frontend vulnerability, but it is caused by the contract providing insecure data.

* **Merkle Root Integrity:**

* If the `merkle_proofs.json` file is compromised, an attacker could replace the Merkle root with a malicious one, allowing them to claim tokens for unauthorized addresses. This is not a contract vulnerability, but a deployment and operational security risk.

* **Block Timestamp Manipulation:**

* Although unlikely, miners could manipulate block timestamps within a small window, potentially affecting the vesting calculations. This is a general Ethereum concern.

* **Denial of Service:**

* If the contract has a large number of users, and a large number of claims are made in a short period of time, the contract could run out of gas. This is a general smart contract concern.

**4. Recommendations:**

* **Frontend Validation:**

* Ensure that the frontend validates all user inputs against the Merkle proofs before calling the `claim` function.

* The frontend should validate the data retrieved from the `claimable_amount` function, with the data from the merkle proofs.

* **Operational Security:**

* Store the `merkle_proofs.json` file securely and implement a robust process for generating and verifying it.

* Implement controls to ensure that the owner's private key is stored securely.

* **Consider a Claim Window:**

* To mitigate front-running, consider implementing a claim window, where claims can only be made within a specific time range.

* **Gas Optimization:**

* Consider gas optimization techniques to reduce the cost of claiming, especially if the contract has a large number of users.

**In summary, the contract itself is relatively well-written, but the potential vulnerabilities lie in the frontend and operational security aspects.**

Updates

Appeal created

bube Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Lack of quality

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.