Closed sherlock-admin closed 9 months ago
Invalid, there is only one vested position locked determined during vesting contract deployment. unclaimed()
will not always return 0. It will only return zero when owner revoke token flow as seen here
1 comment(s) were left on this issue during the judging contest.
pratraut commented:
'invalid as issue demonstrated is deploying escrow contract multiple time and it holding the respective tokens sent to it and user is only checking locked tokens in last deployed contract'
Invalid, there is only one vested position locked determined during vesting contract deployment.
unclaimed()
will not always return 0. It will only return zero when owner revoke token flow as seen here
But when 3 users stake then all 3 locked position should be revokable in total correct? Like in the test 3 user staked 6 ether in total but the owner only can revoke 1 ether, is it expected? Please see here, it is saying revoke all tokens.
itsabinashb
high
VestingEscrow::locked tokens is not tracked correctly which results less token to be revoked by owner
Summary
Token locked amount for all vesting position under a factory is not tracked properly, as a result when owner will call
revokeAll()
he will not get the full locked token amount.Vulnerability Detail
The
locked()
andunclaimed()
inVestingEscrow.sol
contract is responsible to calculate the total revokeable amount for owner. Butlocked()
does not track all vested position, it only track the latest vesting position, and theunclaimed()
always returns 0. As a result when the owner callrevokeAll()
then he only gets the latest vested amount. To see this scenario in test comment out this & this line of TestUtil.sol contract, create a test file in test directory and paste this test case:If we run this test we will get this result:
You can see the total locked amount is showing: 1000000000000000000 but it should show the total amount vested by user1, user2 and user3 which is 6000000000000000000. Another thing you can see that unclaimed value is showing 0. Most importantly the owner only could revoke: 1000000000000000000. The issue could be in
revokeAll()
, the function looks like:You can see the
revokable
is calculated like this:uint256 revokable = locked() + unclaimed();
, butlocked()
returns the number of locked token of a recipient which I think should not consider, In my opiniontotalLocked()
should be considered for this because the description of the function says -/// @notice The total amount of tokens locked.
, but this also is not giving right data, you can see that in provided test case.Impact
Owner is able to revoke very less amount than he should.
Code Snippet
Tool used
Manual Review, Foundry
Recommendation
Track the locked amount properly.