Hi Team, I found out some issue in the documentation of smart contract during code analysis in which anyone can claim tokens for any user without valid proof.
The key details of this potential bug are given below:
In the code analysis, I found out that in the line 144 of the contract, the function 'claim' has* *the @dev comment states that any person can claim the tokens for any user. While the comment for the documentation can be intentional yet it can lead to front-running scenario in which an attacker can transfer tokens from a user to some other's account via proxy routing.
Code
If the documentation is correct, it can lead to front-running bug and create token loss for the users.
If not, It can create confusion for the contract users.
Manual Analysis
Consider provide proper documentation for the contract to avoid confusion and restrict claims from unauthorized addresses as well.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.