Vyper Vested Claims
First Flight #34
Beginner FriendlyDeFi
100 EXP
View results
Previous Next
Submission Details
Severity: high
Invalid

No Check for Valid Token Interface

mishraji874

Description: The contract doesn't validate that the token address provided during initialization is actually an ERC20-compliant contract. If a non-token address or a malicious contract is provided, it could lead to loss of funds or contract exploitation.
The constructor at lines 42-55 accepts any address as a token:

@deploy
def __init__(merkle_root: bytes32, token: address, vesting_start_time: uint256, vesting_end_time: uint256):
self.merkle_root = merkle_root
self.token = token
self.vesting_start_time = vesting_start_time
self.vesting_end_time = vesting_end_time
self.owner = msg.sender
log MerkleRootUpdated(merkle_root)

Impact: If deployed with an invalid token address:

  1. All claim transactions would fail

  2. Users would be unable to receive their vested tokens

  3. The entire contract functionality would be permanently broken

Recommended Mitigation: Add a validation check to ensure the token address is a valid ERC20 contract:

@deploy
def __init__(merkle_root: bytes32, token: address, vesting_start_time: uint256, vesting_end_time: uint256):
assert token != empty(address), "Token address cannot be zero"
# Try to call balanceOf to verify it's a token
try:
extcall IERC20(token).balanceOf(self)
except:
assert False, "Invalid token address"
self.merkle_root = merkle_root
self.token = token
self.vesting_start_time = vesting_start_time
self.vesting_end_time = vesting_end_time
self.owner = msg.sender
log MerkleRootUpdated(merkle_root)
Updates

Appeal created

bube Lead Judge 6 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.