Closed sherlock-admin2 closed 9 months ago
Similar to #33, at any given point of time, only the recipient set by the admin of the vesting contract can invoke claim()
at any time as indicated by the onlyRecipient
modifier. Since user1
here is the recipient set by the deployer, it is intended that he can claim any unclaimed tokens based on vesting schedule set by admin. He cannot decide how long to veest
1 comment(s) were left on this issue during the judging contest.
pratraut commented:
'invalid as warden demonstrated owner only deploying escrow and claiming tokens after vesting period over'
itsabinashb
medium
VestingEscrow::user can claim token after vesting for minimum time
Summary
The way
claim()
ofVestingEscrow.sol
contract designed it allows an user to vest for minimum time and claim the token after that.Vulnerability Detail
The
claim()
does not have any check for minimum withdrawing time limit. For this behaviour an user can can open a vesting position for very minimum amount of time and claim the token. To see this in test comment out this and this line, create a test file in test folder and paste this test case in it:In this test the
user1
vested for 1 minute. If we run the test we can see it will successfully pass:The user even can open multiple vesting for such minimum time and get all vested amount in total. Replace this test function with previous test function:
Result:
Impact
An user can open a vesting position for very minimum amount of time and can claim tokens.
Code Snippet
Tool used
Manual Review, Foundry
Recommendation
Put a minimum time limit in
claim()
so that nobody can claim before a certain time.