Platform: Code4rena
Start Date: 20/09/2022
Pot Size: $30,000 USDC
Total HM: 12
Participants: 198
Period: 3 days
Judge: 0xean
Total Solo HM: 2
Id: 164
League: ETH
Rank: 11/198
Findings: 2
Award: $567.72
π Selected for report: 0
π Solo Findings: 0
π Selected for report: TomJ
Also found by: ayeslick, csanuragjain, pashov
548.864 USDC - $548.86
https://github.com/code-423n4/2022-09-vtvl/blob/main/contracts/VTVLVesting.sol#L257 https://github.com/code-423n4/2022-09-vtvl/blob/main/contracts/VTVLVesting.sol#L262
An admin can, by accident or on purpose, set both startTimestamp & endTimestamp to values less than current block.timestamp. This leads to the vesting period being completed immediately allowing members to claim instantly.
An admin sets startTimestamp & endTimestamp to values less than current block.timestamp
Claimants are able to claim their entire share early
Set startTimestamp to block.timestamp
Set endTimestamp to a set period in the future i.e. 1 month.
OR
endTimestamp should be greater than current block.timestamp by a certain amount i.e. 1 month.
#0 - 0xean
2022-09-25T19:03:33Z
dupe of #292
π Selected for report: AkshaySrivastav
Also found by: 0v3rf10w, 0x040, 0x1f8b, 0x4non, 0x5rings, 0x85102, 0xA5DF, 0xDecorativePineapple, 0xNazgul, 0xSky, 0xSmartContract, 0xbepresent, 0xf15ers, 0xmatt, 2997ms, Aeros, Aymen0909, B2, Bahurum, Bnke0x0, CertoraInc, Chom, ChristianKuri, CodingNameKiki, Deivitto, Diana, Diraco, Dravee, ElKu, Funen, IllIllI, JC, JLevick, JohnSmith, JohnnyTime, KIntern_NA, Lambda, Margaret, MasterCookie, OptimismSec, RaymondFam, Respx, ReyAdmirado, RockingMiles, Rohan16, Rolezn, Ruhum, RustyRabbit, Sm4rty, SooYa, StevenL, TomJ, Tomo, V_B, Waze, Yiko, __141345__, a12jmx, ajtra, ak1, async, ayeslick, aysha, berndartmueller, bin2chen, bobirichman, brgltd, bulej93, c3phas, carrotsmuggler, cccz, ch13fd357r0y3r, chatch, cryptostellar5, cryptphi, csanuragjain, d3e4, datapunk, delfin454000, dic0de, djxploit, durianSausage, eighty, erictee, exd0tpy, fatherOfBlocks, gogo, got_targ, hansfriese, ignacio, ikbkln, indijanc, innertia, joestakey, karanctf, ladboy233, leosathya, lukris02, martin, medikko, millersplanet, nalus, natzuu, neko_nyaa, neumo, obront, oyc_109, pcarranzav, peanuts, pedr02b2, pedroais, peiw, peritoflores, prasantgupta52, rajatbeladiya, rbserver, reassor, ret2basic, rokinot, romand, rotcivegaf, rvierdiiev, sach1r0, seyni, sikorico, slowmoses, sorrynotsorry, supernova, tibthecat, tnevler, ubermensch, yongskiws, zzykxx, zzzitron
18.8574 USDC - $18.86
https://github.com/code-423n4/2022-09-vtvl/blob/main/contracts/VTVLVesting.sol#L371 https://github.com/code-423n4/2022-09-vtvl/blob/main/contracts/VTVLVesting.sol#L374
The withdraw function calls the _baseVestedAmount to set the allowance for a given claimant. In the _baseVestedAmount function linearVestAmount is determined by multiplying _claim.linearVestAmount with truncatedCurrentVestingDurationSecs then dividing by finalVestingDurationSecs. If _claim.linearVestAmount was set to zero turn the result assigned to linearVestAmount will be zero. Thus _baseVestedAmount returns 0 which sets allowance to 0 which fails the required statement in the withdraw function.
Admin sets _linearVestAmount to zero
Claimant tries to claim their portion but their transaction reverts due to them having no allowance.
Donβt allow _linearVestAmount to be zero.
#0 - 0xean
2022-09-24T22:31:00Z
downgrading to QA.