Users are unable to claim tokens now and might be able to drain the whole contract
Summary
Users are unable to claim tokens now and might be able to drain the whole contract
Vulnerability Detail
Users can call PerAddressTrancheVestingMerkleDistributor#claim() in order to claim tokens. They provide input data that is validated using a merkle tree.
function claim(
uint256 index, // the beneficiary's index in the merkle root
address beneficiary, // the address that will receive tokens
uint256 totalAmount, // the total claimable by this beneficiary
bytes32[] calldata merkleProof
)
external
validMerkleProof(keccak256(abi.encodePacked(index, beneficiary, totalAmount)), merkleProof)
nonReentrant
{
// effects
uint256 claimedAmount = _executeClaim(beneficiary, totalAmount, new bytes(0));
// interactions
_settleClaim(beneficiary, claimedAmount);
}
While there is another issue here that _executeClaim() is always called with bytes(0), there is another issue here as well. The function does not receive the tranches as an input and of course, they are also not validated to be valid using the merkle tree.
This creates 2 possible issues:
The function does not allow users to claim at all since the tranches are not provided
If the function is changed to accept tranches data, then they still won't be validated using the merkle tree unless that is changed as well, effectively allowing users to provide a tranche such that the time allows for a claim at the current time and vestedFraction value of it is so large that it allows the whole contract to be drained immediately.
Impact
The issue above explains a current issue that allows users to not be able to claim tokens. It also explains an issue that could arise in the future allowing the contract to be drained immediately which as stated in the contest page, issues that could arise in the future will be considered valid.
samuraii77
high
Users are unable to claim tokens now and might be able to drain the whole contract
Summary
Users are unable to claim tokens now and might be able to drain the whole contract
Vulnerability Detail
Users can call
PerAddressTrancheVestingMerkleDistributor#claim()
in order to claim tokens. They provide input data that is validated using a merkle tree.While there is another issue here that
_executeClaim()
is always called withbytes(0)
, there is another issue here as well. The function does not receive the tranches as an input and of course, they are also not validated to be valid using the merkle tree. This creates 2 possible issues:time
allows for a claim at the current time andvestedFraction
value of it is so large that it allows the whole contract to be drained immediately.Impact
The issue above explains a current issue that allows users to not be able to claim tokens. It also explains an issue that could arise in the future allowing the contract to be drained immediately which as stated in the contest page, issues that could arise in the future will be considered valid.
Code Snippet
https://github.com/sherlock-audit/2024-05-tokensoft-distributor-contracts-update/blob/67edd899612619b0acefdcb0783ef7a8a75caeac/contracts/packages/hardhat/contracts/claim/factory/PerAddressTrancheVestingMerkleDistributor.sol#L51-L65
Tool used
Manual Review
Recommendation
Accept the tranches data as an input and include it in the merkle tree validation.
Duplicate of #15