Vyper Vested Claims

First Flight #34

Beginner FriendlyDeFi

100 EXP

View results

Previous Next

Submission Details

Severity: low

Invalid

Unrestricted Merkle Root Updates

0xshaedyw

Summary

The owner can update the Merkle root at any time, potentially altering vesting claims.

Vulnerability Details

The set_merkle_root function allows the owner to change the Merkle root post-deployment, which could invalidate existing proofs or enable fraudulent claims.

@external

def set_merkle_root(merkle_root: bytes32):

self.onlyOwner()

self.merkle_root = merkle_root

Impact

High : Malicious owner could manipulate vesting data.

Recommendations

Restrict Merkle root updates to a specific timeframe (e.g., before vesting starts):

assert block.timestamp < self.vesting_start_time, "Merkle root can only be updated before vesting starts"

Updates

Appeal created

bube Lead Judge 4 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

[Invalid] No checks in `set_merkle_root` function

The `set_merkle_root` function is called only by the `owner` and the `owner` is trusted. This means the input argument `merkle_root` will be correct and the `owner` will not call again the `set_merkle_root` function.

Rewards breakdown

nSLOC

127

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.