Closed sherlock-admin2 closed 9 months ago
Invalid, only recipient set by owner can claim tokens that are not locked for each escrow contract. There is no need to track investments since each vesting contract only has one recipient and amount claimable is sufficiently tracked by logic here
phenom
high
Potential Contract Drain Due to Lack of User Investment Tracking
Summary
The contract currently doesn't keep track of how much each user has invested. This could lead to problems when users want to withdraw their funds. For example, a bad actor might try to take more money than they actually put in, potentially causing issues for the protocol. Simply just relies on the total amount claimable in the contract
Vulnerability Detail
The main issue is the absence of a system to link each user's address with the amount they deposited. Without this, there's a risk that users may try to claim more tokens than they originally invested, which could harm the fairness of the protocol.
Impact
This vulnerability could result in inaccurate calculations during withdrawals and create a situation where a user might claim more tokens than they actually put in. This could undermine the trust and reliability of the protocol.
Code Snippet
https://github.com/sherlock-audit/2024-01-rio-vesting-escrow/blob/2d14c2b84b69c53a45c81aa4f907af9617f9a94f/rio-vesting-escrow/src/VestingEscrow.sol#L136C5-L144C6
Tool used
Manual Review
Recommendation
To fix this issue, implement a system (using the userInvestments mapping) to link each user's address with the amount they've invested. Make sure to update the contract logic to use this mapping for withdrawal calculations to ensure accurate and secure tracking of user contributions.