Hi Team, I found out some issue in the smart contract code which can potentially leads to the restirction of token claim by the users because of the merkle root updation in the contract.
The key details of this potential vulnerability are given below:
In the function 'set_merkle_root', it allows the owner to update the Merkle root at any time which can lead to the invalidity of the existing proofs to claim tokens from the contract and users can no longer claim them.
The main problem arises with this bug is that users could lose the access to their vested tokens if the merkle root gets updated and leads to the loss of trust by the users.
Manual Analysis
Add a time lock for the Merkle root to update so that users can claim their vested tokens in that time period.
In addition, you can disable 'set_merkle_root' after a certain period of time to prevent changes i.e. after vesting starts.
The `set_merkle_root` function is called only by the `owner` and the `owner` is trusted. This means the input argument `merkle_root` will be correct and the `owner` will not call again the `set_merkle_root` function.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.