search

code-423n4 / 2022-09-vtvl-findings

0 stars 0 forks source link

numTokensReservedForVesting is not compared with contract balance #453

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-09-vtvl/blob/f68b7f3e61dad0d873b5b5a1e8126b839afeab5f/contracts/VTVLVesting.sol#L245-L304

Vulnerability details

Impact

In VTVLVesting contract, the claims are created without comparing the numTokensReservedForVesting variable to the contract balance. If the sum of all user vesting tokens is below this param then the contract will be insolvent to be withdrawn.

Proof of Concept

Suppose the admin has created a large number of claims and the numTokensReservedForVesting increased dramatically and the project got hyped in one point. If the contract.balance is less than numTokensReservedForVesting and if the vesting owners start withdrawing their claimed tokens, then it will not be solvent to supply the requested amount of tokens. The same scenario can be applied in turbulent market conditions where the users want to keep their tokens' economic value.

Permalink

Tools Used

Manual Review

Recommended Mitigation Steps

Consider comparing contract.balance with numTokensReservedForVesting when creating claims.

0xSorryNotSorry commented 2 years ago

i skipped that giant require statement. invalid.

0xean commented 2 years ago

closing as invalid.