Vyper Vested Claims

First Flight #34
Beginner FriendlyDeFi
100 EXP
View results
Submission Details
Severity: low
Invalid

Anyone can claim tokens from 'claim' function for any user according to the documentation

Summary

Hi Team, I found out some issue in the documentation of smart contract during code analysis in which anyone can claim tokens for any user without valid proof.

Vulnerability Details

The key details of this potential bug are given below:
In the code analysis, I found out that in the line 144 of the contract, the function 'claim' has* *the @dev comment states that any person can claim the tokens for any user. While the comment for the documentation can be intentional yet it can lead to front-running scenario in which an attacker can transfer tokens from a user to some other's account via proxy routing.

Code

@external
def claim(user: address, total_amount: uint256, proof: DynArray[bytes32, 20]) -> bool:
"""
@notice This function is used to claim the tokens
@> @dev Anyone can claim for any user
@param user address, the address of the user
@param total_amount uint256, the total amount of tokens
@param proof DynArray[bytes32, 20], the merkle proof
@return bool True if the claim is successful
"""
# Checks
assert self.verify_proof(user, total_amount, proof), "Invalid proof"
assert block.timestamp >= self.vesting_start_time, "Claiming is not available yet"
claimable: uint256 = 0
current_amount: uint256 = self.claimed_amount[user]
vested: uint256 = self._calculate_vested_amount(total_amount)

Impact

  • If the documentation is correct, it can lead to front-running bug and create token loss for the users.

  • If not, It can create confusion for the contract users.

Tools Used

Manual Analysis

Recommendations

Consider provide proper documentation for the contract to avoid confusion and restrict claims from unauthorized addresses as well.

Updates

Appeal created

bube Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.