Vyper Vested Claims

First Flight #34
Beginner FriendlyDeFi
100 EXP
View results
Submission Details
Severity: low
Invalid

[L-3] Consider adding zero address checks for user

Summary

The following functions do not check if the user address is the zero address before proceeding with execution:

  • VestedAirdrop::rescue_tokens

  • VestedAirdrop::claim

  • VestedAirdrop::claimable_amount

Vulnerability Details

VestedAirdrop::claim would likely fail with the verify_proof assertion if the user address is the zero address. However, it is recommended to add a check for the zero address to prevent any unexpected behavior.

Impact

VestedAirdrop::rescue_tokens could send tokens to the zero address unintentionally. VestedAirdrop::claimable_amount could return a false claimable amount for the zero address. VestedAirdrop::claim would likely fail with the verify_proof assertion if the user address is the zero address, unless the zero address is included in the Merkle tree.

POC

Add these tests:

def test_audit_claimable_amount_with_user_address_zero(self):
"""
claimable_amount with user address zero
@dev will fail since it does not check the Merkle tree and return
amount for the zero address
"""
claimable = self.airdrop.claimable_amount(Address("0x" + ZERO_ADDRESS.hex()), self.amount)
assert claimable == 0
def test_audit_claim_with_user_address_zero(self):
"""
claim with user address zero
@dev will fail on first assertion `verify_proof` since the user address is zero and not in the Merkle tree (but it could be)
"""
claimable = self.airdrop.claim(Address("0x" + ZERO_ADDRESS.hex()), self.amount, self.proof)
assert claimable == 0

Recommendations

Add a check to ensure the user address is not the zero address before proceeding with execution:

from eth.constants import ZERO_ADDRESS
...
assert user != ZERO_ADDRESS, "User address cannot be zero"
Updates

Appeal created

bube Lead Judge 6 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.