Vyper Vested Claims

First Flight #34
Beginner FriendlyDeFi
100 EXP
View results
Submission Details
Severity: high
Invalid

Unsafe External Call in claim() Function

Summary

The claim() function performs an external call to IERC20.transfer() using extcall. This method does not check whether the token contract follows the expected ERC-20 standard, which can lead to unexpected failures or loss of funds if the call does not return a boolean value.

Vulnerability Details

The function transfers tokens using an external call:

_success: bool = extcall IERC20(self.token).transfer(user, claimable)
assert _success, "Transfer failed"

The issue arises because not all ERC-20 tokens return a boolean value. Some tokens (e.g., USDT) do not return True on success, which can cause the call to fail or behave unexpectedly.
If _success is not properly checked, funds may not be transferred, and users might still see their balance deducted.

POC

  • Deploy an ERC-20 token contract that does not return a boolean in transfer().

  • Call the claim() function to attempt a withdrawal.

  • The transaction might fail due to the unexpected return value, or worse, it might succeed but not actually transfer tokens.

Impact

  • If the token being used does not return a boolean, users may be unable to claim their funds.

  • In the worst case, tokens could be locked inside the contract indefinitely, leading to financial loss.

Tools Used

Manual review

Recommendations

Use Vyper’s raw_call for safer token transfers:

success: Bytes[32] = raw_call(self.token, method_id("transfer(address,uint256)"), [user, claimable], max_outsize=32)
assert convert(success, bool), "Transfer failed"
  • Alternatively, verify the token standard before integrating it with the contract.

  • Implement a safe transfer helper function that correctly handles non-standard tokens.

Updates

Appeal created

bube Lead Judge 6 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.