Merkle Root Update can lead to restriction on token claim by users
Summary
Hi Team, I found out some issue in the smart contract code which can potentially leads to the restirction of token claim by the users because of the merkle root updation in the contract.
Vulnerability Details
The key details of this potential vulnerability are given below:
In the function 'set_merkle_root', it allows the owner to update the Merkle root at any time which can lead to the invalidity of the existing proofs to claim tokens from the contract and users can no longer claim them.
Impact
The main problem arises with this bug is that users could lose the access to their vested tokens if the merkle root gets updated and leads to the loss of trust by the users.
Tools Used
Manual Analysis
Recommendations
Add a time lock for the Merkle root to update so that users can claim their vested tokens in that time period.
In addition, you can disable 'set_merkle_root' after a certain period of time to prevent changes i.e. after vesting starts.
Appeal created
[Invalid] No checks in `set_merkle_root` function
The `set_merkle_root` function is called only by the `owner` and the `owner` is trusted. This means the input argument `merkle_root` will be correct and the `owner` will not call again the `set_merkle_root` function.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.