solimander
commented
9 months ago Invalid. It's within their right to claim vested tokens.
Closed sherlock-admin2 closed 9 months ago
solimander
commented
9 months ago Invalid. It's within their right to claim vested tokens.
sherlock-admin2
commented
9 months ago 1 comment(s) were left on this issue during the judging contest.
_rahul commented:
Invalid: Recipient has authorized escrow to be fully revokable to help recover funds (incase of loss of recipient address etc) during setup. Essentially, owner calls revokeAll() to rescue funds for the recipient. In this context, it’s unlikely that will recipient front-run revokeAll().
rvierdiiev
medium
VestingEscrow.revokeAll function can be frontrunned
Summary
Recipient can frontrun
revokeAllfunction to claim unclaimed tokens.Vulnerability Detail
VestingEscrow.revokeAll function allows owner to stop vesting for the recipient and transfer unclaimed and locked tokens. So in case if user didn't claim before and his unclaimed balance is not 0, then he will lose that amount.
Thus it is likely that any recipient will frontrun
VestingEscrow.revokeAllfunction withclaimcall in order to decrease loss.Impact
Recipient can decrease his loss and claim unclaimed tokens before they are transferred to owner.
Code Snippet
Provided above
Tool used
Manual Review
Recommendation
I don't see the solution here that will make it impossible for user to claim tokens.
Duplicate of #63