code-423n4 / 2021-05-88mph-findings

0 stars 0 forks source link

Anyone can withdraw vested amount on behalf of someone #15

Open code423n4 opened 3 years ago

code423n4 commented 3 years ago

Handle

cmichel

Vulnerability details

Vulnerability Details

The Vesting.withdrawVested function allows withdrawing the tokens of other users. While the tokens are sent to the correct address, this can lead to issues with smart contracts that might rely on claiming the tokens themselves.

As one example, suppose the _to address corresponds to a smart contract that has a function of the following form:

function withdrawAndDoSomething() {
    contract.withdrawVested(address(this), amount);
    token.transfer(externalWallet, amount)
}

Impact

If the contract has no other functions to transfer out funds, they may be locked forever in this contract.

Recommended Mitigation Steps

Do not allow users to withdraw on behalf of other users.

ZeframLou commented 3 years ago

This is true, but Vesting.sol is only kept for legacy support, Vesting02.sol will be the main vesting contract, so we're fine with this.