0xstormtrooper
commented
2 years ago Users will be warned that depositing resets the vesting term. This will also be documented on the contract.
Open code423n4 opened 2 years ago
0xstormtrooper
commented
2 years ago Users will be warned that depositing resets the vesting term. This will also be documented on the contract.
Handle
leastwood
Vulnerability details
Impact
The
VaderBond.deposit()function overwrites a depositors bond info on each call with the updatedpayoutinformation. If any of the vesting is left unclaimed before a call todeposit()is made, the vesting period is reset toterms.vestingTerm, resulting in the bond holder having to wait again in order to claim tokens that they could previously claim.Proof of Concept
https://github.com/code-423n4/2021-11-vader/blob/main/repo/vader-bond/contracts/VaderBond.sol#L192
Tools Used
Manual code review.
Recommended Mitigation Steps
Consider preventing users from depositing to an existing bond holder or alternatively when a deposit is made, force the user to redeem any claimable tokens in the same function.