Closed sherlock-admin2 closed 9 months ago
Invalid, admins are trusted entities trusted to not be malicious. See point 5. of sherlock rules. They retain the right to revoke tokens at any time to not allow user to claim tokens.
1 comment(s) were left on this issue during the judging contest.
pratraut commented:
'invalid as issues are not explained properly and recommendation is irrelevant'
kgothatso
high
VestingEscrow :: claim
owner can front run the contract and cause a DOS attack and steal all fundsSummary
owner can front run the contract and cause a DOS attack funds can be lost before funds are claimed
Vulnerability Detail
when a user claims for funds it will revert because the owner recovered all the Ether
Impact
loss of funds
Code Snippet
https://github.com/sherlock-audit/2024-01-rio-vesting-escrow/blob/main/rio-vesting-escrow/src/VestingEscrow.sol#L136
https://github.com/sherlock-audit/2024-01-rio-vesting-escrow/blob/main/rio-vesting-escrow/src/VestingEscrow.sol#L202
Tool used
Manual Review
Recommendation
owner should not be able to liquidate the contract without a 51% majority to approve the transaction