Vyper Vested Claims

First Flight #34
Beginner FriendlyDeFi
100 EXP
View results
Submission Details
Severity: low
Invalid

Front-Running Vulnerability in Merkle Root Updates of `VestedAirdrop::set_merkle_root` function.

Description: The set_merkle_root function allows the owner to update the merkle root without any time delay or notification mechanism. This could potentially be exploited by front-running user transactions with a root change.

Lines 159-165:

@external
def set_merkle_root(merkle_root: bytes32):
"""
@notice This function is used to set the merkle root
@param merkle_root bytes32, the new merkle root
@dev This function can only be called by the owner
"""
self.onlyOwner()
self.merkle_root = merkle_root
log MerkleRootUpdated(merkle_root)

Impact: If the owner maliciously or mistakenly updates the merkle root, pending user claim transactions might fail, leading to confusion and potential denial of service for legitimate claims.

Recommended Mitigation: Implement a timelock mechanism for merkle root updates:

proposed_merkle_root: public(bytes32)
root_change_time: public(uint256)
ROOT_CHANGE_DELAY: constant(uint256) = 86400 # 1 day
@external
def propose_merkle_root(merkle_root: bytes32):
self.onlyOwner()
self.proposed_merkle_root = merkle_root
self.root_change_time = block.timestamp + ROOT_CHANGE_DELAY
# Log event
@external
def apply_merkle_root():
self.onlyOwner()
assert block.timestamp >= self.root_change_time, "Timelock not expired"
assert self.proposed_merkle_root != empty(bytes32), "No proposal"
self.merkle_root = self.proposed_merkle_root
self.proposed_merkle_root = empty(bytes32)
log MerkleRootUpdated(self.merkle_root)
Updates

Appeal created

bube Lead Judge 6 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

[Invalid] No checks in `set_merkle_root` function

The `set_merkle_root` function is called only by the `owner` and the `owner` is trusted. This means the input argument `merkle_root` will be correct and the `owner` will not call again the `set_merkle_root` function.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.