Upon claiming using PerAddressContinuousVestingMerkleDistributor or PerAddressTrancheVestingMerkleDistributor, the flow goes through AdvancedDistributor#_executeClaim() which receives the data about how the vesting is supposed to happen.
The issue here is that the data received as the third parameter is completely omitted and instead, bytes(0) is used as the data. That is later decoded into the according type (tranches or cliff, start and end) but that will revert essentially disallowing users from claiming.
samuraii77
high
Users are unable to claim their tokens
Summary
Users are unable to claim their tokens
Vulnerability Detail
Upon claiming using
PerAddressContinuousVestingMerkleDistributororPerAddressTrancheVestingMerkleDistributor, the flow goes throughAdvancedDistributor#_executeClaim()which receives the data about how the vesting is supposed to happen.The issue here is that the data received as the third parameter is completely omitted and instead,
bytes(0)is used as the data. That is later decoded into the according type (tranches or cliff, start and end) but that will revert essentially disallowing users from claiming.Impact
Users are unable to claim their tokens
Code Snippet
https://github.com/sherlock-audit/2024-05-tokensoft-distributor-contracts-update/blob/67edd899612619b0acefdcb0783ef7a8a75caeac/contracts/packages/hardhat/contracts/claim/factory/AdvancedDistributorInitializable.sol#L106-L114
Tool used
Manual Review
Recommendation
Use the data provided instead of omitting it.
Duplicate of #11