A vulnerability was identified in the claimable_amount view function of the VestedAirdrop contract. The function fails to properly account for already claimed amounts when calculating the linear vesting portion, leading to incorrect claimable amount calculations. This could result in users receiving misleading information about their available claims.
The issue lies in the claimable_amount view function where the calculation of vested amount doesn't properly consider the already claimed tokens. While the main claim function correctly handles this by maintaining a claimed_amount mapping, the view function doesn't properly utilize this information in its calculations.
The issue manifests when:
1. A user claims their initial 31% TGE
2. Time passes and linear vesting occurs
3. The view function returns incorrect amounts because it doesn't properly account for the already claimed TGE portion in the linear vesting calculation
Severity: Medium
This vulnerability could lead to:
Incorrect information being displayed to users about their claimable amounts
Potential confusion in the frontend interface
Miscalculations in user dashboards and analytics
Possible disputes if users rely on this information for financial decisions
While this doesn't directly affect the actual token transfers (which are handled correctly in the claim function), it creates a significant user experience issue and could lead to loss of trust in the platform.
The issue can be demonstrated through the failing test cases:
test_claimable_amount:
test_claimable_amount_with_claims
Manual code review
1. Modify the claimable_amount function to properly account for already claimed amounts in both TGE and linear vesting portions
2. Add additional test cases to verify edge cases in the claimable amount calculations
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.