code-423n4 / 2021-11-vader-findings

0 stars 0 forks source link

DOS in LinearVesting #268

Closed code423n4 closed 3 years ago

code423n4 commented 3 years ago

Handle

hack3r-0m

Vulnerability details

https://github.com/code-423n4/2021-11-vader/blob/main/contracts/tokens/vesting/LinearVesting.sol#L214-L226

1) vestFor allows anyone to vest on anyone's behalf. 2) vestFor allows to vest only once per user ( https://github.com/code-423n4/2021-11-vader/blob/main/contracts/tokens/vesting/LinearVesting.sol#L215-L218 )

so if some user wants to vest 1000 tokens, then a malicious actor can vest 1 token on behalf of that user. it will stop user from vesting 1000 tokens.

This can lead to protocol being unusable.

SamSteinGG commented 3 years ago

Duplicate of #229