Vyper Vested Claims

First Flight #34

Beginner FriendlyDeFi

100 EXP

View results

Previous Next

Submission Details

Severity: low

Invalid

Owner can rescue tokens, risking fund withdrawal

hoossayn

Summary : Owner can rescue tokens, risking fund withdrawal

Vulnerability Details : The `rescue_tokens` function allows the owner to withdraw any ERC20 tokens, including those allocated for vesting, leading to potential rug pulls

Impact: Medium/High. Depends on trust in the owner but poses a centralization risk

Tools Used: Manual review

Recommendations: Remove the function or restrict it to non-vesting tokens. Implement multi-sig or timelock for emergencies

Updates

Appeal created

bube Lead Judge 4 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

[Invalid] Owner can call rescue_tokens and withdraw users tokens

The `owner` is trusted and the function `rescue_tokens` can be called only by the owner and only in case of emergency. This means the owner will not act maliciously and will not call the function without need. Also, issues realated to the malicious admin actions are invalid according to the CodeHawks documentation: https://support.cyfrin.io/en/articles/10059196-findings-validity

Rewards breakdown

nSLOC

127

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.