When users vest in StakedCitadelVester, the tokens will be locked in vest duration. Users can call claim() to get back their tokens. The claimable amount is calculated in claimableBalance(). Before the duration ends, the claimable amount is
Alice can still claim all the tokens after the vesting duration ends, but as Alice keeps vesting, it gets harder to claim tokens back during vesting duration. Since lockedAmounts will keep growing.
Lines of code
https://github.com/code-423n4/2022-04-badger-citadel/blob/main/src/StakedCitadelVester.sol#L132 https://github.com/code-423n4/2022-04-badger-citadel/blob/main/src/StakedCitadelVester.sol#L85 https://github.com/code-423n4/2022-04-badger-citadel/blob/main/src/StakedCitadelVester.sol#L108
Vulnerability details
Impact
When users vest in StakedCitadelVester, the tokens will be locked in vest duration. Users can call
claim()
to get back their tokens. The claimable amount is calculated inclaimableBalance()
. Before the duration ends, the claimable amount isIt seems to be a fair claimable amount. However if users keep vesting more and more, the
claimableBalance()
will become unfair and sometimes revert.Proof of Concept
vesting[recipient].lockedAmounts
becomes 10000https://github.com/code-423n4/2022-04-badger-citadel/blob/main/src/StakedCitadelVester.sol#L132
vesting[msg.sender].claimedAmounts
becomes 10000https://github.com/code-423n4/2022-04-badger-citadel/blob/main/src/StakedCitadelVester.sol#L85
https://github.com/code-423n4/2022-04-badger-citadel/blob/main/src/StakedCitadelVester.sol#L108
vesting[recipient].lockedAmounts
becomes 10100claimableBalance()
Since
This line will revert
Tools Used
vim
Recommended Mitigation Steps
vest()
could be modified like the following code.