Closed sherlock-admin closed 9 months ago
1 comment(s) were left on this issue during the judging contest.
_rahul commented:
Invalid: Recipient has authorized escrow to be fully revokable to help recover funds (incase of loss of recipient address etc) during setup. Essentially, owner calls revokeAll() to rescue funds for the recipient. In this context, it’s unlikely that will recipient front-run revokeAll().
CL001
medium
The revokeAll() method are subject to front-run attack
Summary
https://github.com/sherlock-audit/2024-01-rio-vesting-escrow/blob/2d14c2b84b69c53a45c81aa4f907af9617f9a94f/rio-vesting-escrow/src/VestingEscrow.sol#L177
revokeAll()
method is uses to disable further flow of tokens and revoke all tokens to owner, but user can front-runs callsclaim()
method and abtainunclaimed()
vesting .Vulnerability Detail
In normal circumstances,owner decides to
revokeAll()
and Recipient is unaware of thisRecipient sees this and front-runs calls
claim()
method and claim vesting.Impact
The impact is a violation of system design and destroys the normal functioning of the
revokeAll()
method.Code Snippet
https://github.com/sherlock-audit/2024-01-rio-vesting-escrow/blob/2d14c2b84b69c53a45c81aa4f907af9617f9a94f/rio-vesting-escrow/src/VestingEscrow.sol#L177
Tool used
Manual Review
Recommendation
Lock the claim() method before calling the revokeAll() method
Duplicate of #63