VTVL contest - MiloTruck's results

Lines of code

https://github.com/code-423n4/2022-09-vtvl/blob/main/contracts/VTVLVesting.sol#L280-L292

Vulnerability details

Rebasing tokens are tokens that have each holder's balanceof() increase over time. Aave aTokens are an example of such tokens.

Impact

When a claim is created, users expect that rewards generated by tokens are accounted for by the contract and they receive their share. However, if rebasing tokens are used as the token in the VTVLVesting contract, rewards generated by tokens cannot be withdrawn by a claim's recipient, but instead goes to the contract's admins.

Proof of Concept

In _createClaimUnchecked(), the total amount a claim can withdraw is fixed, represented by cliffAmount + linearVestAmount:

 280:    Claim memory _claim = Claim({
 281:        startTimestamp: _startTimestamp,
 282:        endTimestamp: _endTimestamp,
 283:        cliffReleaseTimestamp: _cliffReleaseTimestamp,
 284:        releaseIntervalSecs: _releaseIntervalSecs,
 285:        cliffAmount: _cliffAmount,
 286:        linearVestAmount: _linearVestAmount,
 287:        amountWithdrawn: 0,
 288:        isActive: true
 289:    });
 290:    // Our total allocation is simply the full sum of the two amounts, _cliffAmount + _linearVestAmount
 291:    // Not necessary to use the more complex logic from _baseVestedAmount
 292:    uint112 allocatedAmount = _cliffAmount + _linearVestAmount;

The amount actually available grows over time and is only known at the time of withdrawal. However, the amount given to recipients by withdraw() is calculated based on the fixed values of cliffAmount and linearVestAmount, and does not account for this growth in rebasing tokens. Thus, these extra tokens do not go to recipients, but instead remain in the contract until an admin withdraws them with withdrawAdmin().

Recommended Mitigation Steps

For rebasing tokens, calculate the pro-rata token amount to be withdrawn whenever a withdrawl is made.