Vyper Vested Claims

First Flight #34
Beginner FriendlyDeFi
100 EXP
View results
Submission Details
Severity: low
Invalid

Zero Amount Token Rescue Vulnerability

Summary

The rescue_tokens function in the VestedAirdrop contract allows zero-amount token transfers. While this doesn't pose a direct security risk, it allows unnecessary transactions that waste gas and could pollute event logs with meaningless transfers.

Vulnerability Details

The rescue_tokens function is designed as an emergency function to recover tokens from the contract. However, it lacks validation for the transfer amount, allowing zero-value transfers:

@external
def rescue_tokens(to: address, amount: uint256):
"""
@notice This function is used to rescue tokens from the contract
@param to address, the address to send the tokens to
@param amount uint256, the amount of tokens to send
"""
self.onlyOwner()
log TokensRescued(to, amount)
_success: bool = extcall IERC20(self.token).transfer(to, amount)
assert _success, "Transfer failed"

The function will execute and emit even when amount = 0, which serves no practical purpose.

Impact

Gas wastage through unnecessary zero-value transactions

  • Event log pollution with meaningless transfer events

  • Potential confusion in contract monitoring/analytics

  • Low severity as it's owner-only and doesn't risk funds

Tools Used

@external
def rescue_tokens(to: address, amount: uint256):
self.onlyOwner()
assert amount > 0, "Cannot rescue zero tokens"
log TokensRescued(to, amount)
_success: bool = extcall IERC20(self.token).transfer(to, amount)
assert _success, "Transfer failed"

Recommendations

1. Add amount validation to prevent zero-value transfers:

@external
def rescue_tokens(to: address, amount: uint256):
self.onlyOwner()
assert amount > 0, "Cannot rescue zero tokens"
log TokensRescued(to, amount)
_success: bool = extcall IERC20(self.token).transfer(to, amount)
assert _success, "Transfer failed"
Updates

Appeal created

bube Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.