search

code-423n4 / 2021-12-vader-findings

0 stars 0 forks source link

missing check in getClaim #85

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Handle

certora

Vulnerability details

https://github.com/code-423n4/2021-12-vader/blob/main/contracts/tokens/vesting/LinearVesting.sol#L77 getClaim uses the modifier hasStarted, that checks whether the vesting period started, and if it didn't, then it reverts with the following message:

"LinearVesting::_hasStarted: Vesting hasn't started yet"

The problem is that it checks it for the general vesting period and not for _vester, and because different vesters have different start times, if _vester has a different start time than start. It won't revert in hasStarted, and therefore will have a wrong revert message.

0xstormtrooper commented 2 years ago

If start == 0, vesting has not started so it makes sense to fail call to getClaim. If start > 0, then call to getClaim returns a number, given that _vester is indeed vested. There is no bug here.