Incorrect merkle proof check used for tranche vesting
Summary
Incorrect merkle proof check used for tranche vesting contracts
Vulnerability Detail
The files in scope that have "Merkle" in the file name use the modifier validMerkleProof(bytes32 leaf, bytes32[] memory merkleProof) to validate data inputed by the user which is specific depending on the type of contract.
For example PerAddressContinuousVestingMerkle.sol validates start, cliff and end which are specific attributes related to continuous vesting:
As you can see the continuous vesting distributor still validates start, cliff and end like PerAddressContinuousVestingMerkle.sol.
Impact
This allows the user to use less data and still pass the modifier check. He can for example call claim() and claim his tokens without specifying any tranches as leaves.
0xboriskataa
medium
Incorrect merkle proof check used for tranche vesting
Summary
Incorrect merkle proof check used for tranche vesting contracts
Vulnerability Detail
The files in scope that have "Merkle" in the file name use the modifier
validMerkleProof(bytes32 leaf, bytes32[] memory merkleProof)
to validate data inputed by the user which is specific depending on the type of contract.For example
PerAddressContinuousVestingMerkle.sol
validatesstart
,cliff
andend
which are specific attributes related to continuous vesting:Another example is
PerAddressTrancheVestingMerkle.sol
in which tranches are validated instead:The issues is that
PerAddressTrancheVestingMerkleDistributor.sol
doesn't validate any tranches. Instead it just validates generic data:We can compare it to
PerAddressContinuousVestingMerkleDistributor.sol
:As you can see the continuous vesting distributor still validates
start
,cliff
andend
likePerAddressContinuousVestingMerkle.sol
.Impact
This allows the user to use less data and still pass the modifier check. He can for example call
claim()
and claim his tokens without specifying any tranches as leaves.Code Snippet
https://github.com/sherlock-audit/2024-05-tokensoft-distributor-contracts-update/blob/main/contracts/packages/hardhat/contracts/claim/factory/PerAddressTrancheVestingMerkleDistributor.sol#L47
Tool used
Manual Review
Recommendation
Change the inputs for the modifier to this: