Closed sherlock-admin2 closed 9 months ago
Invalid. The vesting escrow is not designed to work with tokens that have multiple addresses.
1 comment(s) were left on this issue during the judging contest.
_rahul commented:
Invalid: Non standard / weird-tokens are not considered valid by default unless these tokens are explicitly mentioned in the README.
Krace
medium
VestingEscrow
cannot work properly with multiple addresses tokenSummary
Should the
token()
within theVestingEscrow
involve multiple addresses, it becomes possible for anyone to transfer all remaining tokens, including thelocked()
andunclaimed()
ones, to the designatedrecipient()
.Vulnerability Detail
The
recoverERC20
function exclusively transfers the surplustoken()
within the contract, ensuring sufficienttoken()
remains for bothlocked()
andunclaimed()
tokens.However, there exists a token with multiple addresses, enabling the transfer of the same token with different addresses. An attacker could exploit this by utilizing a distinct address to circumvent the checks and transfer all tokens to the
recipient()
.Impact
The
locked()
andunclaimed()
token in theVestingEscrow
could be transferred to therecipient()
incorrectly, causing the entire contract to not work properly.Code Snippet
https://github.com/sherlock-audit/2024-01-rio-vesting-escrow/blob/2d14c2b84b69c53a45c81aa4f907af9617f9a94f/rio-vesting-escrow/src/VestingEscrow.sol#L202-L212
Tool used
Manual Review
Recommendation
It's recommended to add a check in function
recoverERC20
to make sure that thetoken().bakanceOf(this)
after transferring is equal to or greater than thelocked() + unclaimed()
.Duplicate of #62