Lines of code

https://github.com/code-423n4/2022-09-vtvl/blob/main/contracts/VTVLVesting.sol#L206 https://github.com/code-423n4/2022-09-vtvl/blob/main/contracts/VTVLVesting.sol#L215 https://github.com/code-423n4/2022-09-vtvl/blob/main/contracts/VTVLVesting.sol#L196

Vulnerability details

Impact

According to the contract, finalVestedAmount function calculates the total vested at the end of the schedule. vestedAmount function calculates the amount vested for a given _recipient at a reference timestamp. claimableAmount function Calculates how much can we claim, by subtracting the already withdrawn amount from the vestedAmount at this moment.

But there is a missing check for if the claim is active or not.

Proof of Concept

https://github.com/code-423n4/2022-09-vtvl/blob/main/contracts/VTVLVesting.sol#L206

 function finalVestedAmount(address _recipient) public view returns (uint112) {
        Claim storage _claim = claims[_recipient];
        return _baseVestedAmount(_claim, _claim.endTimestamp);
    }

https://github.com/code-423n4/2022-09-vtvl/blob/main/contracts/VTVLVesting.sol#L196

    function vestedAmount(address _recipient, uint40 _referenceTs) public view returns (uint112) {
        Claim storage _claim = claims[_recipient];
        return _baseVestedAmount(_claim, _referenceTs);
    }

https://github.com/code-423n4/2022-09-vtvl/blob/main/contracts/VTVLVesting.sol#L215

    function claimableAmount(address _recipient) external view returns (uint112) {
        Claim storage _claim = claims[_recipient];
        return _baseVestedAmount(_claim, uint40(block.timestamp)) - _claim.amountWithdrawn;
    }

Tools Used

Manual Analysis

Recommended Mitigation Steps

Add check as shown below:

    function claimableAmount(address _recipient) external view returns (uint112) {
 if(_claim.isActive){
        Claim storage _claim = claims[_recipient];
        return _baseVestedAmount(_claim, uint40(block.timestamp)) - _claim.amountWithdrawn;
        }
    }

code-423n4 / 2022-09-vtvl-findings