Closed sherlock-admin closed 9 months ago
Invalid, amount
is an uint256
that cannot take negative values.
1 comment(s) were left on this issue during the judging contest.
pratraut commented:
'invalid as amount is of type uint256 which cant store negative values'
KeyKiril
medium
No validation check might cause negative impact on the state of the contract in the
claim
functionSummary
Without the validation check, the function will allow claims with amount of zero. This could lead to unexpected behaviour or undesired state changes in the contract.
Vulnerability Detail
The
claim
function appears to be designed to allow a recipient to claim vested tokens from the smart contract.This is attack scenario:
Without the
amount > 0
check, thetotalClaimed
variable could be incremented by a negative value if a malicious user sends a transaction with a negative amount. This could lead to unintended behaviour and negative values fortotalClaimed
, which may affect subsequent calculations and contract logic.Including the check
require(amount > 0, "Invalid amount")
is a good practice to ensure that the amount parameter is valid and positive, preventing potential negative impacts on the contract's state.Impact
Possible to fully block
claim
function. And no one will be able to claim their vested tokens.Code Snippet
https://github.com/sherlock-audit/2024-01-rio-vesting-escrow/blob/main/rio-vesting-escrow/src/VestingEscrow.sol#L136C1-L136C1
Tool used
Manual Review
Recommendation
Consider adding a require check in the
claim
function.This line ensures that the amount parameter is greater than zero before proceeding with the claim operation.