MxAxM
commented
3 months ago despite mentioning the root cause, it doesn't describe the impact clearly.
Closed sherlock-admin3 closed 3 months ago
MxAxM
commented
3 months ago despite mentioning the root cause, it doesn't describe the impact clearly.
0xboriskataa
medium
Incorrect merkle proof check used for tranche vesting
Summary
Incorrect merkle proof check used for tranche vesting contracts
Vulnerability Detail
The files in scope that have "Merkle" in the file name use the modifier
validMerkleProof(bytes32 leaf, bytes32[] memory merkleProof)to validate data inputed by the user which is specific depending on the type of contract.For example
PerAddressContinuousVestingMerkle.solvalidatesstart,cliffandendwhich are specific attributes related to continuous vesting:Another example is
PerAddressTrancheVestingMerkle.solin which tranches are validated instead:The issues is that
PerAddressTrancheVestingMerkleDistributor.soldoesn't validate any tranches. Instead it just validates generic data:We can compare it to
PerAddressContinuousVestingMerkleDistributor.sol:As you can see the continuous vesting distributor still validates
start,cliffandendlikePerAddressContinuousVestingMerkle.sol.Impact
This allows the user to use less data and still pass the modifier check. He can for example call
claim()and claim his tokens without specifying any tranches as leaves.Code Snippet
https://github.com/sherlock-audit/2024-05-tokensoft-distributor-contracts-update/blob/main/contracts/packages/hardhat/contracts/claim/factory/PerAddressTrancheVestingMerkleDistributor.sol#L47
Tool used
Manual Review
Recommendation
Change the inputs for the modifier to this: