Back to 0x52's contests

VTVL contest - 0x52's results

Building no-code token management tools to empower web3 founders and investors, starting with token vesting.

General Information

Platform: Code4rena

Start Date: 20/09/2022

Pot Size: $30,000 USDC

Total HM: 12

Participants: 198

Period: 3 days

Judge: 0xean

Total Solo HM: 2

Id: 164

League: ETH

VTVL

Findings Distribution

Researcher Performance

Rank: 38/198

Findings: 1

Award: $218.09

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryVTVL

Findings Information

🌟 Selected for report: eierina

Also found by: 0x52, 0xA5DF, 0xdapper, ElKu, Ruhum, RustyRabbit, TomJ, obront, pauliax, pcarranzav, pedroais, rbserver

Labels

bug
duplicate
3 (High Risk)

Awards

218.0935 USDC - $218.09

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-09-vtvl/blob/f68b7f3e61dad0d873b5b5a1e8126b839afeab5f/contracts/VTVLVesting.sol#L418-L437

Vulnerability details

Impact

Vested but unclaimed tokens are stolen from user

Proof of Concept

When revokeClaim is called, it removes all remaining tokens for a user vested or unvested. Vested tokens should be considered as tokens already paid and shouldn't be revokable, for the protection of the user being paid. Admin is a trusted role but it measures should always be taken with every trusted party to reduce that trust to a minimum.

Tools Used

Manual Review

revokeClaim should adjust the users claim preserving the currently vested tokens and only remove unvested tokens

#0 - 0xean

2022-09-24T18:51:05Z

dupe of #475

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter