Hacker can directly updatevesting_start_time
to 0 and claim almost all the tokens.
Having vesting_start_time
and vesting_end_time
public storage variables, they can be updated by anyone.
Hackers are able to change vesting_start_time
to 0 and this will affect the claim calculation code here. Claim calculation uses the difference between current time and start timestamp to get the elapsed time. Longer elapsed time will lead to high token claimed.
The following test shows by manipulating vesting_start_time
, someone can claim 99% of total amount.
Almost total loss of funds.
Mocasin tests
Set vesting_start_time
and vesting_end_time
to private. This prevent anyone from upating them.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.