Vyper Vested Claims

First Flight #34

Beginner FriendlyDeFi

100 EXP

View results

Previous Next

Submission Details

Severity: low

Invalid

Anyone can claim tokens from 'claim' function for any user according to the documentation

simranjitsinghss

Summary

Hi Team, I found out some issue in the documentation of smart contract during code analysis in which anyone can claim tokens for any user without valid proof.

Vulnerability Details

The key details of this potential bug are given below:
In the code analysis, I found out that in the line 144 of the contract, the function 'claim' has* *the @dev comment states that any person can claim the tokens for any user. While the comment for the documentation can be intentional yet it can lead to front-running scenario in which an attacker can transfer tokens from a user to some other's account via proxy routing.

Code

@external

def claim(user: address, total_amount: uint256, proof: DynArray[bytes32, 20]) -> bool:

"""

@notice This function is used to claim the tokens

@> @dev Anyone can claim for any user

@param user address, the address of the user

@param total_amount uint256, the total amount of tokens

@param proof DynArray[bytes32, 20], the merkle proof

@return bool True if the claim is successful

"""

# Checks

assert self.verify_proof(user, total_amount, proof), "Invalid proof"

assert block.timestamp >= self.vesting_start_time, "Claiming is not available yet"

claimable: uint256 = 0

current_amount: uint256 = self.claimed_amount[user]

vested: uint256 = self._calculate_vested_amount(total_amount)

Impact

If the documentation is correct, it can lead to front-running bug and create token loss for the users.
If not, It can create confusion for the contract users.

Tools Used

Manual Analysis

Recommendations

Consider provide proper documentation for the contract to avoid confusion and restrict claims from unauthorized addresses as well.

Updates

Appeal created

bube Lead Judge 4 months ago

Submission Judgement Published

Invalidated

Reason: Design choice

Rewards breakdown

nSLOC

127

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.