Vyper Vested Claims

First Flight #34
Beginner FriendlyDeFi
100 EXP
View results
Submission Details
Severity: high
Invalid

Access Control Vulnerabilities by manipulating vesting_start_time can lead to Denial of Service

Summary

Anyone can directly changevesting_start_time to a far future timestamp,this will block the claiming process and thus locking all the tokens.

Vulnerability Details

Having vesting_start_time and vesting_end_time public storage variables, they can be updated by anyone.
Hackers are able to set vesting_start_time to a very far future date. There is a check here that checks if current time is greater than vesting_start_time and reverts if current time is less than vesting_start_time. This block all the claims until the start_time has reached.

The following test demonstrates this.

def test_claim_amount_alter_start_date_far_future(self):
"""
Start time can be update a very far future in effect blocking claim.
"""
current_time = self.airdrop.vesting_start_time()
assert current_time != 0
future_timestamp = block_timestamp() + 60 * 60 * 24 * 30000000000
self.airdrop.eval(f"self.vesting_start_time = {future_timestamp}")
assert self.airdrop.vesting_start_time() == future_timestamp
# after 30 days still can't claim
warp(block_timestamp() + thirty_days())
with boa.reverts("Claiming is not available yet"):
self.airdrop.claimable_amount(self.user1, self.amount)

Impact

No one can claim the tokens.

Tools Used

Mocasin tests

Recommendations

Set vesting_start_time and vesting_end_time to private. This prevents anyone from upating them.

Updates

Appeal created

bube Lead Judge 3 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.