Vyper Vested Claims

First Flight #34
Beginner FriendlyDeFi
100 EXP
View results
Submission Details
Severity: high
Invalid

Reentrancy Vulnerability Due to Flawed @nonreentrant Decorator in Vyper Compiler

Summary

The VestedAirdrop.vy contract utilizes the @nonreentrant decorator to prevent reentrancy attacks. However, specific versions of the Vyper compiler (0.2.15, 0.2.16, and 0.3.0) contain a flaw in the implementation of this decorator, rendering the reentrancy protection ineffective. This vulnerability could allow malicious actors to perform reentrant calls, leading to unauthorized withdrawals of tokens from the contract.

Vulnerability Details

In the affected Vyper compiler versions, the @nonreentrant decorator does not correctly manage the reentrancy lock across different functions. The lock variables are stored in separate storage locations for each function, which means that while one function is protected against reentrancy, another can be called reentrantly without restriction. This flaw undermines the intended protection, allowing attackers to exploit the contract by making recursive calls to withdraw more funds than they are entitled to.

Impact

Exploiting this vulnerability, an attacker can repeatedly call the claim function (or any other function intended to be protected by @nonreentrant) before the initial execution completes. This can result in the attacker draining the contract's token balance, leading to significant financial losses for the project and its legitimate users.

Tools Used

  • Static Analysis Tools: To detect the presence of the flawed @nonreentrant decorator in the contract code.

  • Vyper Compiler Version Check: Ensuring the contract is not compiled with the vulnerable versions (0.2.15, 0.2.16, 0.3.0).

Recommendations

  1. Upgrade Vyper Compiler: Compile the contract using Vyper version 0.3.1 or later, where the @nonreentrant decorator issue has been resolved.

  2. Implement Additional Reentrancy Guards: Incorporate function-level reentrancy checks, such as using a mutex or status variable, to ensure that functions cannot be reentered during execution.

  3. Conduct Comprehensive Security Audits: Perform thorough code reviews and testing to identify and mitigate potential vulnerabilities before deployment.

  4. Stay Informed on Compiler Updates: Regularly monitor updates and patches from the Vyper development team to stay ahead of potential vulnerabilities.

Updates

Appeal created

bube Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
mirmohmmadluqman Submitter
4 months ago
bube Lead Judge
4 months ago
bube Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.