Closed sherlock-admin2 closed 9 months ago
Invalid, this is expected behavior, revoked tokens will be revoked back to owner given only owner can call this function. Additionally, this has the same exact design as the lido vesting escrow as seen here
1 comment(s) were left on this issue during the judging contest.
pratraut commented:
'invalid as owner can revokeAll in the extreme situation where found recipient malicious so funds should go to owner only'
jasonxiale
medium
VestingEscrow.revokeAll
doesn't conform withVestingEscrow.claim
Summary
In VestingEscrow.claim, when there are unclaimed token available the recipient can choose which address to receive the token by beneficiary parameter, it means the token can still under recipient's possess. But in VestingEscrow.revokeAll, the unclaimed will be sent to the owner together with locked token, which means the unclaimed token will under owner's possess.
Vulnerability Detail
In VestingEscrow.claim, when there are unclaimed token available the recipient can choose which address to receive the token by beneficiary parameter, it means the token can still under recipient's possess. But in VestingEscrow.revokeAll, the unclaimed will be sent to the owner together with locked token, which means the unclaimed token will under owner's possess.
Impact
Some tokens should be sent to recipient but instead sent to owner
Code Snippet
https://github.com/sherlock-audit/2024-01-rio-vesting-escrow/blob/main/rio-vesting-escrow/src/VestingEscrow.sol#L136-L144 https://github.com/sherlock-audit/2024-01-rio-vesting-escrow/blob/main/rio-vesting-escrow/src/VestingEscrow.sol#L176-L189
Tool used
Manual Review
Recommendation