Vyper Vested Claims

First Flight #34

Beginner FriendlyDeFi

100 EXP

View results

Previous Next

Submission Details

Severity: low

Invalid

Zero Amount Token Rescue Vulnerability

heim

Summary

The rescue_tokens function in the VestedAirdrop contract allows zero-amount token transfers. While this doesn't pose a direct security risk, it allows unnecessary transactions that waste gas and could pollute event logs with meaningless transfers.

Vulnerability Details

The rescue_tokens function is designed as an emergency function to recover tokens from the contract. However, it lacks validation for the transfer amount, allowing zero-value transfers:

@external

def rescue_tokens(to: address, amount: uint256):

"""

@notice This function is used to rescue tokens from the contract

@param to address, the address to send the tokens to

@param amount uint256, the amount of tokens to send

"""

self.onlyOwner()

log TokensRescued(to, amount)

_success: bool = extcall IERC20(self.token).transfer(to, amount)

assert _success, "Transfer failed"

The function will execute and emit even when amount = 0, which serves no practical purpose.

Impact

Gas wastage through unnecessary zero-value transactions

Event log pollution with meaningless transfer events
Potential confusion in contract monitoring/analytics
Low severity as it's owner-only and doesn't risk funds

Tools Used

@external

def rescue_tokens(to: address, amount: uint256):

self.onlyOwner()

assert amount > 0, "Cannot rescue zero tokens"

log TokensRescued(to, amount)

_success: bool = extcall IERC20(self.token).transfer(to, amount)

assert _success, "Transfer failed"

Recommendations

1. Add amount validation to prevent zero-value transfers:

@external

def rescue_tokens(to: address, amount: uint256):

self.onlyOwner()

assert amount > 0, "Cannot rescue zero tokens"

log TokensRescued(to, amount)

_success: bool = extcall IERC20(self.token).transfer(to, amount)

assert _success, "Transfer failed"

Updates

Appeal created

bube Lead Judge 4 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

127

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.