Closed sherlock-admin2 closed 9 months ago
3 comment(s) were left on this issue during the judging contest.
_rahul commented:
Invalid: Recipient has authorized escrow to be fully revokable to help recover funds (incase of loss of recipient address etc) during setup. Essentially, owner calls revokeAll() to rescue funds for the recipient. In this context, it’s unlikely that will recipient front-run revokeAll().
Shaheen commented:
Valid Medium, good Catch
pratraut commented:
'valid as malicious recipient can steal unclaimed tokens'
Shaheen
medium
revokeAll
is useless without delay mechanism onclaim()
, as the recipient can frontrun revokeAll TRX to withdraw unclaimed tokensSummary
revokeAll
is useless without delay mechanism onclaim()
, as the recipients can frontrunrevokeAll
TRXs to withdraw unclaimed tokens.Vulnerability Detail
revokeAll()
function is in place so the org deploying the vesting escrow can clawback all the tokens, when something written into a legal contract surpasses. If the user breaks any legal conditions or do something malicious with the voting power, the owner of the contract will callrevokeAll()
which will takelocked + unclaimed
tokens out of the contract.The problem is, user can easily frontrun the
revokeAll()
TRX to withdraw unclaimed tokens and break the legal contract.Proof-of-Concept
revokeAll()
to clawback Alex all 75k tokensclaim()
to withdraw all the unclaimed tokens with high Trx Gas fee than revokeAll TrxCode Proof-of-Concept
Impact
Code Snippet
https://github.com/sherlock-audit/2024-01-rio-vesting-escrow/blob/2d14c2b84b69c53a45c81aa4f907af9617f9a94f/rio-vesting-escrow/src/VestingEscrow.sol#L177 https://github.com/sherlock-audit/2024-01-rio-vesting-escrow/blob/2d14c2b84b69c53a45c81aa4f907af9617f9a94f/rio-vesting-escrow/src/VestingEscrow.sol#L136
Tool used
🦅
Recommendation
There should be a withdrawal delay mechanism on
claim()
which don't give chance to the users to frontrun revokeAll. Or Aware the org's owner about this issue and encourage them to use private mempool for revoking. The former is more recomnded as private pools are not really "private". A very good implementation of delay mechanism can be found here Thanks!Duplicate of #63