Vyper Vested Claims

First Flight #34
Beginner FriendlyDeFi
100 EXP
View results
Submission Details
Severity: low
Invalid

Merkle Root Update can lead to restriction on token claim by users

Summary

Hi Team, I found out some issue in the smart contract code which can potentially leads to the restirction of token claim by the users because of the merkle root updation in the contract.

Vulnerability Details

The key details of this potential vulnerability are given below:

In the function 'set_merkle_root', it allows the owner to update the Merkle root at any time which can lead to the invalidity of the existing proofs to claim tokens from the contract and users can no longer claim them.

@external
def set_merkle_root(merkle_root: bytes32):
"""
@notice This function is used to set the merkle root
@param merkle_root bytes32, the new merkle root
@dev This function can only be called by the owner
"""
self.onlyOwner()
@> self.merkle_root = merkle_root
log MerkleRootUpdated(merkle_root)

Impact

The main problem arises with this bug is that users could lose the access to their vested tokens if the merkle root gets updated and leads to the loss of trust by the users.

Tools Used

Manual Analysis

Recommendations

  • Add a time lock for the Merkle root to update so that users can claim their vested tokens in that time period.

  • In addition, you can disable 'set_merkle_root' after a certain period of time to prevent changes i.e. after vesting starts.

Updates

Appeal created

bube Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

[Invalid] No checks in `set_merkle_root` function

The `set_merkle_root` function is called only by the `owner` and the `owner` is trusted. This means the input argument `merkle_root` will be correct and the `owner` will not call again the `set_merkle_root` function.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.