Vyper Vested Claims

First Flight #34

Beginner FriendlyDeFi

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Valid

Arithmetic Calculation Error can lead to loss of tokens during vesting duration

simranjitsinghss

Summary

Hi Team, I found out a potential vulnerability in the code during manual checking of the smart contract in which the loss of tokens can occur during calculation of vesting period by the means of arithmetic underflow flaw.

Vulnerability Details

The key details of this potential vulnerability are given below:

During the manual analysis of the code, I found out from line 91-112, '_calculate_vested_amount::instant_release' and '_calculate_vested_amount::linear_vesting' results in miscalculation of tokens in the vested duration leads to loss of tokens and impacting the overall trust of users on the smart contract. For eg:

If the total amount of tokens are 101, then the calculation should be:

instant_release = (101 * 31) // 100 = 31

linear_vesting = (101 * 69) // 100 = 69

Total = 31+69=100

which results in 1 token loss and further miscalculation in 'vested' component and vesting duration is deriving 'linear_vesting' component in it.

Code:

@view

def _calculate_vested_amount(total_amount: uint256) -> uint256:

current_time: uint256 = block.timestamp

start_time: uint256 = self.vesting_start_time

end_time: uint256 = self.vesting_end_time

vested: uint256 = 0

if current_time >= end_time:

return total_amount

vesting_duration: uint256 = end_time - start_time

elapsed: uint256 = current_time - start_time

@> instant_release: uint256 = (total_amount * 31) // 100

linear_vesting: uint256 = (total_amount * 69) // 100

@> vested = instant_release + (linear_vesting * elapsed) // vesting_duration

return vested

Impact

Users can't be able to claim their vested allocation, leads to token loss scenario.
Loss of trust among users for the project due to arithmetic logical error in the code.

Tools Used

Manual Analysis

Recommendations

Avoid the arithmetic error by defining one component i.e. 'instant_release' and deriving the other i.e. 'linear_vesting'.

instant_release: uint256 = (total_amount * 31) // 100

linear_vesting: uint256 = total_amount - instant_release

Updates

Appeal created

bube Lead Judge 4 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Rounding issue in vesting calculation

Rewards breakdown

nSLOC

127

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.