Vyper Vested Claims

First Flight #34

Beginner FriendlyDeFi

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Invalid

Missing Validation for Vesting Timeframe

mishraji874

Description: The contract's constructor doesn't validate that the vesting end time is greater than the vesting start time. This could lead to a permanently broken vesting schedule if incorrect parameters are provided during deployment.

Lines 42-55 in the init function:

@deploy

def __init__(merkle_root: bytes32, token: address, vesting_start_time: uint256, vesting_end_time: uint256):

"""

@notice Initialize the contract with the merkle root, token address, vesting start and end time

@param merkle_root: bytes32, the merkle root of the vesting list

@param token: address, the address of the token contract

@param vesting_start_time: uint256, the start time of the vesting

@param vesting_end_time: uint256, the end time of the vesting

"""

self.merkle_root = merkle_root

self.token = token

self.vesting_start_time = vesting_start_time

self.vesting_end_time = vesting_end_time

self.owner = msg.sender

log MerkleRootUpdated(merkle_root)

Impact: If vesting_end_time ≤ vesting_start_time, the vesting calculation will break, potentially causing:

Division by zero if the times are equal (in the _calculate_vested_amount function)
Negative elapsed time calculations if end time is before start time
Users unable to claim their rightful tokens due to broken vesting mechanics

Proof of Concept: If the contract is deployed with vesting_start_time = 1000 and vesting_end_time = 1000, then:

vesting_duration = end_time - start_time = 0
In _calculate_vested_amount, the calculation (linear_vesting * elapsed) // vesting_duration would attempt to divide by zero, causing the transaction to revert

Recommended Mitigation: Add validation in the constructor to ensure the vesting timeframe is valid:

@deploy

def __init__(merkle_root: bytes32, token: address, vesting_start_time: uint256, vesting_end_time: uint256):

assert vesting_end_time > vesting_start_time, "Invalid vesting timeframe"

assert token != empty(address), "Token address cannot be zero"

assert merkle_root != empty(bytes32), "Merkle root cannot be empty"

self.merkle_root = merkle_root

self.token = token

self.vesting_start_time = vesting_start_time

self.vesting_end_time = vesting_end_time

self.owner = msg.sender

log MerkleRootUpdated(merkle_root)

Updates

Appeal created

bube Lead Judge 6 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

127

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.