4 matches found
Anyone Can Arbitrarily Call FSDVesting.updateVestedTokens()
Handle leastwood Vulnerability details Impact The updateVestedTokens function is intended to be called by the FSD.sol contract when updating a user's vested token amount. A check is performed to ensure that user == beneficiary, however, as user is a user controlled argument, it is possible to spo...
Missing access restriction on Vesting.updateVestedTokens
Handle cmichel Vulnerability details The FSDVesting.updateVestedTokens function is supposed to be called by the FDS contract only which also mints tokens to the contract. However, it does not have any access restrictions which leads to circumventing the vesting and further griefing attacks. POC...
FSDVesting: Restrict updateVestedTokens() calls to only FSD token contract
Handle hickuphh3 Vulnerability details Impact The updateVestedTokens increases the amount of tokens to be vested for a beneficiary. There is no access restriction to the function. The intended total vesting duration is 30 months with a 12-month cliff where 5% is immediately unlocked, and the...
Insufficient check on updateVestedTokens function
Handle rfa Vulnerability details Impact This function can be used by the beneficiary to update their vested token, however the function is callable by anyone, there is no check if the msg.sender/caller is the correct beneficiary, the only check is , but this check is user controllable, therefore...