Platform: Code4rena
Start Date: 20/09/2022
Pot Size: $30,000 USDC
Total HM: 12
Participants: 198
Period: 3 days
Judge: 0xean
Total Solo HM: 2
Id: 164
League: ETH
Rank: 19/198
Findings: 3
Award: $408.52
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: Trust
Also found by: 0xSky, CertoraInc, KIntern_NA, bin2chen, hansfriese, neko_nyaa, neumo, rokinot, wastewa
In _baseVestedAmount of VTVLVesting.sol, when we calculate the vested amount, vestAmt is the sum of cliffAmount and linearVestAmount.
linearVestAmount is calculated from the fraction of completed interval as follows.
uint112 linearVestAmount = _claim.linearVestAmount * truncatedCurrentVestingDurationSecs / finalVestingDurationSecs;
40 bytes are allocated to timestamps, and _claim.linearVestAmount is 112 bytes long.
So actual space for _claim.linearVestAmount is 112 - 40 = 72 bytes in the multiplication. If the token has 18 decimals, it is nearly 60 bytes.
As a result, linearVestAmount is limited to 2**12 = 4096 tokens.
For better clarification, if we consider the actual timestamps are in 32 bytes, this limit can go up to 1048576 tokens, and still not so enough.
Allocate more space to linearVestAmount in the Claim struct.
#0 - 0xean
2022-09-24T19:18:40Z
dupe of #95
🌟 Selected for report: Czar102
Also found by: 0xDecorativePineapple, 0xNazgul, 0xSky, 0xbepresent, 0xmatt, Atarpara, Bahurum, DimitarDimitrov, Franfran, GimelSec, JGcarv, JLevick, Junnon, OptimismSec, Rolezn, Ruhum, Soosh, Tomo, Trust, __141345__, adriro, ajtra, bin2chen, cRat1st0s, cccz, cryptonue, d3e4, innertia, jag, joestakey, neumo, obront, pashov, pauliax, pcarranzav, peanuts, rajatbeladiya, rbserver, reassor, seyni, wagmi, zzykxx, zzzitron
0.7375 USDC - $0.74
In VariableSupplyERC20Token.sol, token supply is limited to mintableSupply and it is initialized by maxSupply_ in the constructor. If mintableSupply is 0, there is no limit in the supply.
So in the mint function, when mintableSupply is 0, internal _mint function is called directly without any validation. But this logic has a problem. In the mint function, mintableSupply is decreased by amount and it can be zero when amount == mintableSupply after several mints. As a result, we can mint further without any limit after we mint initial mintableSupply(=maxSupply_ of constructor).
Add a state variable which stores actual minted amount, instead of decreasing mintableSupply.
#0 - 0xean
2022-09-24T00:37:07Z
dupe of #3
🌟 Selected for report: AkshaySrivastav
Also found by: 0v3rf10w, 0x040, 0x1f8b, 0x4non, 0x5rings, 0x85102, 0xA5DF, 0xDecorativePineapple, 0xNazgul, 0xSky, 0xSmartContract, 0xbepresent, 0xf15ers, 0xmatt, 2997ms, Aeros, Aymen0909, B2, Bahurum, Bnke0x0, CertoraInc, Chom, ChristianKuri, CodingNameKiki, Deivitto, Diana, Diraco, Dravee, ElKu, Funen, IllIllI, JC, JLevick, JohnSmith, JohnnyTime, KIntern_NA, Lambda, Margaret, MasterCookie, OptimismSec, RaymondFam, Respx, ReyAdmirado, RockingMiles, Rohan16, Rolezn, Ruhum, RustyRabbit, Sm4rty, SooYa, StevenL, TomJ, Tomo, V_B, Waze, Yiko, __141345__, a12jmx, ajtra, ak1, async, ayeslick, aysha, berndartmueller, bin2chen, bobirichman, brgltd, bulej93, c3phas, carrotsmuggler, cccz, ch13fd357r0y3r, chatch, cryptostellar5, cryptphi, csanuragjain, d3e4, datapunk, delfin454000, dic0de, djxploit, durianSausage, eighty, erictee, exd0tpy, fatherOfBlocks, gogo, got_targ, hansfriese, ignacio, ikbkln, indijanc, innertia, joestakey, karanctf, ladboy233, leosathya, lukris02, martin, medikko, millersplanet, nalus, natzuu, neko_nyaa, neumo, obront, oyc_109, pcarranzav, peanuts, pedr02b2, pedroais, peiw, peritoflores, prasantgupta52, rajatbeladiya, rbserver, reassor, ret2basic, rokinot, romand, rotcivegaf, rvierdiiev, sach1r0, seyni, sikorico, slowmoses, sorrynotsorry, supernova, tibthecat, tnevler, ubermensch, yongskiws, zzykxx, zzzitron
18.8577 USDC - $18.86
In setAdmin of AccessProtected.sol, when disable an admin, there is no check about how many admins left.
So it is possible that there is no admin in the Vesting contract. The impact is not huge because only admins can change admin status, and users can withdraw their claim without any admins. But in the situation, it is not possible to create new claims anymore, and revokeClaim is impossible when needed. So I raise this as a low risk.