Summary

The VestedAirdrop.vy contract utilizes the @nonreentrant decorator to prevent reentrancy attacks. However, specific versions of the Vyper compiler (0.2.15, 0.2.16, and 0.3.0) contain a flaw in the implementation of this decorator, rendering the reentrancy protection ineffective. This vulnerability could allow malicious actors to perform reentrant calls, leading to unauthorized withdrawals of tokens from the contract.

Vulnerability Details

In the affected Vyper compiler versions, the @nonreentrant decorator does not correctly manage the reentrancy lock across different functions. The lock variables are stored in separate storage locations for each function, which means that while one function is protected against reentrancy, another can be called reentrantly without restriction. This flaw undermines the intended protection, allowing attackers to exploit the contract by making recursive calls to withdraw more funds than they are entitled to.

Impact

Exploiting this vulnerability, an attacker can repeatedly call the claim function (or any other function intended to be protected by @nonreentrant) before the initial execution completes. This can result in the attacker draining the contract's token balance, leading to significant financial losses for the project and its legitimate users.

Tools Used

• Static Analysis Tools: To detect the presence of the flawed @nonreentrant decorator in the contract code.

• Vyper Compiler Version Check: Ensuring the contract is not compiled with the vulnerable versions (0.2.15, 0.2.16, 0.3.0).

Recommendations

1. Upgrade Vyper Compiler: Compile the contract using Vyper version 0.3.1 or later, where the @nonreentrant decorator issue has been resolved.

2. Implement Additional Reentrancy Guards: Incorporate function-level reentrancy checks, such as using a mutex or status variable, to ensure that functions cannot be reentered during execution.

3. Conduct Comprehensive Security Audits: Perform thorough code reviews and testing to identify and mitigate potential vulnerabilities before deployment.

4. Stay Informed on Compiler Updates: Regularly monitor updates and patches from the Vyper development team to stay ahead of potential vulnerabilities.