Vyper Vested Claims

First Flight #34
Beginner FriendlyDeFi
100 EXP
View results
Submission Details
Severity: high
Invalid

Access Control Vulnerabilities on vesting_start_time can lead to loss of funds.

Summary

Hacker can directly updatevesting_start_time to 0 and claim almost all the tokens.

Vulnerability Details

Having vesting_start_time and vesting_end_time public storage variables, they can be updated by anyone.
Hackers are able to change vesting_start_time to 0 and this will affect the claim calculation code here. Claim calculation uses the difference between current time and start timestamp to get the elapsed time. Longer elapsed time will lead to high token claimed.

The following test shows by manipulating vesting_start_time, someone can claim 99% of total amount.

def test_claim_amount_alter_start_date(self):
"""
Anyone can alter start_date and set it to 0 and claim 99% of total tokens.
"""
current_time = self.airdrop.vesting_start_time()
assert current_time != 0
# Alter start_time
self.airdrop.eval(f"self.vesting_start_time = 0")
assert self.airdrop.vesting_start_time() == 0
linear_vesting = (self.amount * 69) // 100
vesting_duration = self.airdrop.vesting_end_time() - 0
elapsed = block_timestamp() - 0
almost_all_amount_claimable = (self.amount * 31 // 100) + (linear_vesting * elapsed) // vesting_duration
assert almost_all_amount_claimable / self.amount > 0.99
claimable = self.airdrop.claimable_amount(self.user1, self.amount)
assert claimable == almost_all_amount_claimable

Impact

Almost total loss of funds.

Tools Used

Mocasin tests

Recommendations

Set vesting_start_time and vesting_end_time to private. This prevent anyone from upating them.

Updates

Appeal created

bube Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.