_releaseIntervalSecs is not validated

Lines of code Vulnerability details Impact VTVLVesting.sol has createClaimUnchecked function to create the claims internally while validating parameters with the users' allocations. However, releaseIntervalSecs is not validated comparing to user's linearVestAmount and startTimestamp endTimestamp...

The bytes allocated to linearVestAmount is too small in the struct VTVLVesting.Claim

Lines of code Vulnerability details Impact In baseVestedAmount of VTVLVesting.sol, when we calculate the vested amount, vestAmt is the sum of cliffAmount and linearVestAmount. linearVestAmount is calculated from the fraction of completed interval as follows. uint112 linearVestAmount =...

numTokensReservedForVesting is not compared with contract balance

Lines of code Vulnerability details Impact In VTVLVesting contract, the claims are created without comparing the numTokensReservedForVesting variable to the contract balance. If the sum of all user vesting tokens is below this param then the contract will be insolvent to be withdrawn. Proof of...

createClaim can be circumvented

Lines of code Vulnerability details Impact VTVLVesting.sol has createClaim function for the admins to create claims. However, a malicious admin vector exists inside. The project gives some powerfull access to the admins for some reason as stated on the contest page. And a good intention is to emi...

Mistakenly use of arithmetic operation can lead to loss

Lines of code Vulnerability details Mistakenly use of arithmetic operation can lead to loss Description Calculating the values can somewhat correct to what you need but this is a great mistake of calculation which should be overcomed .Now why should this be overcomed? Since in Solidity, the order...

Outdated Claims can be created which will potentially inflate the vested amounts

Lines of code Vulnerability details Overview In creating claims, the VTVLVesting contract uses various time related variables including startTimestamp and endTimestamp which determines when the linear vesting starts and ends consecutively. This is visible in the createClaim , createClaimsBatch an...

lack of check if claim is active in vestedAmount,claimableAmount and finalVestedAmount.

Lines of code Vulnerability details Impact According to the contract, finalVestedAmount function calculates the total vested at the end of the schedule. vestedAmount function calculates the amount vested for a given recipient at a reference timestamp. claimableAmount function Calculates how much...

Admin Shouldn't Be Able to Withdraw Aleady Claimable Vested Token

Lines of code Vulnerability details Impact It is not ideal for admins to be able to withdraw any vested amount that is ALREADY claimable by vesting recipients to keep vesting recipient's or investors or employees incentives alligned with admins project. The point I want to say is that, current...

Potential Impossibility in Creating claims Batch

Lines of code Vulnerability details Overview The createClaimsBatch function of the VTVLVesting contract allows for creation of claims in batch with an unbounded amount of actions. Specifically, the function does not impose a hard cap on the number of elements in the arrays passed as parameters...

An admin can revoke the claim of a given claimant at any time then withdraw the claim due to said claimant.

Lines of code Vulnerability details Impact I understand the reasoning why admins are given the ability to revoke claims but that power in combination with the fact that an admin can then withdraw said claim that was due to a claimant gives rug vibes. This ability should at least be behind a...

Fee on transfer tokens can make users receive less than they are supposed to

Lines of code Vulnerability details Impact Some tokens take a transfer fee e.g. STA, PAXG. Tokens like these will be supported because the vested amount will be the amount that was actually transferred i.e. the balance of the contract after the transfer, but it will cause the user to receive less...

Overflow can make a claim impossible to revoke by the admin and fully withdraw by the recipient

Lines of code Vulnerability details Impact In contract VTVLVesting.sol, the multiplication in function baseVestedAmount can overflow for big enough values of truncatedCurrentVestingDurationSecs and linearVestAmount. This means the claim could be successfully created by the admin, but could NEVER ...

Users may not withdraw their tokens.

Lines of code Vulnerability details Impact VTVLVesting's withdraw function has a logic error that impacts the distribution. According to the NATSPEC comment, the users can withdraw their tokens which are fully claimable. However, as per the function's logic users can withdraw their tokens until a...

The protocol doesn't support fee-on transfer ERC20 tokens

Lines of code Vulnerability details Impact The withdraw function in VTVLVesting.sol contract, doesn't handle cases where the tokenAddress is a fee-on transfer ERC20 token. There are ERC20 tokens that may make certain customisations to their ERC20 contracts. One type of these tokens is deflationar...

A malicious Admin can call numerous number of times the function withdrawAdmin() and result in Deniel of Service.

Lines of code Vulnerability details Impact This issue can result in Deniel of Service and potentially locking all the users's activeClaim in the contract. Proof of Concept The function withdrawAdmin is used by the Admin to withdraw unallocated tokens. "uint256 amountRemaining" allows the admin to...

Loss of vested amounts

Lines of code Vulnerability details Impact Vesting is a legal term that means the point in time where property is earned or gained by some person. The VTVLVesting contract defines: a start time Claim::startTimestamp and an end time Claim::endTimestamp at which vesting starts and ends for a entitl...

maxSupply_ fails to set a limit.

Lines of code Vulnerability details Impact In VariableSupplyERC20Token.sol maxSupply is used to set a limit to the amount mintable, and a value of 0 is used to represent an infinite limit. 0 is indeed a nonsensical value for this variable, and as such would be suitable to represent infinity, but...

No check of vesting completion can break the distribution when the admin withdraws tokens

Lines of code Vulnerability details Impact VTVLVesting.sol has withdrawAdmin function to allow admins to withdraw the unallocated tokens. However, it's not controlled whether the vesting is completed. If an uncontrolled withdraw occurs in a FullPremintERC20Token contract, than it would break the...

Revoking claim should regard accrued but not claimed tokens

Lines of code Vulnerability details Impact revokeClaim should send the user what is already vested at this moment before deactivating the claim. e.g. imagine a situation when a user has never claimed the tokens and has 90% already vested but suddenly the admin decides to revoke it and the user is...

Division Before Multiplication Can Lead To Zero

Lines of code Vulnerability details Impact There is a division before multiplication bug that exists in truncatedCurrentVestingDurationSecs calculations Proof of Concept uint40 truncatedCurrentVestingDurationSecs = currentVestingDurationSecs / claim.releaseIntervalSecs claim.releaseIntervalSecs;...

admin still can mint token even if limit is reached

Lines of code Vulnerability details Impact In VariableSupplyERC20Token.sol theres a mint function that can be operate only by admin. The function should operate in 2 ways. IF maxSupplywas declared inconstructor, the admincan only mint as long as the token less thanmaxSupply/mintableSupply. OR IF...

Overflow in amount calculation can lead to users not being able to withdraw their funds

Lines of code Vulnerability details Impact The amounts of token are saved in uint112 variables. The baseVestedAmount, which calculates the amount of token that was vested for the user given a timestamp, contains the following line that calculates the relative amount using the time passed from the...

An admin can revoke a claim even after the end date

Lines of code Vulnerability details From the contest description it seems that the sponsor doesn't intend to allow admin to revoke a claim after it end: our vesting contract is deliberately designed to allow admin revocation in the circumstances of early employment termination before the end of...

DoS with underlying Rebasing/Deflationary tokens

Lines of code Vulnerability details M -01 Issues with underlying Rebasing/Deflationary tokens Problem When underlying token is Rebasing/Deflationary at some point users will not be able to withdraw, because of the rebasing mechanics balance of tokens of the smart contract may change over time and...

Revoking a claim blocks a recipient from withdrawing any unclaimed but due amount.

Lines of code Vulnerability details Impact Whenever an admin revokes a claim and the recipient has any unclaimed but vested balance , the unclaimed part is also revoked. Take for instance a total amount of 365 tokens vested over 1 year with a release interval of 1 day. If the recipient at day 30...

Time rounding can cause users to not be able to withdraw all the funds they are eligible for

Lines of code Vulnerability details Impact The time that has passed from the start of the vest is rounded down to the closest multiplication of claim.releaseIntervalSecs. The user can claim the funds for an interval only at the end of it. That means that users can't withdraw the funds for a part ...

Employee can be unable to withdraw claimable amount that she or he deserves after admin revokes her or his claim

Lines of code Vulnerability details Impact When an employee has an active claim, this employee can call the following withdraw function to withdraw the claimable amount that she or he is entitled to, which would increase her or his claim's amountWithdrawn. Because the employee is free to call...

Missing ReEntrancy Guard to Withdraw function

Lines of code Vulnerability details Impact Missing ReEntrancy Guard to Withdraw function Proof of Concept There is no re-entry risk on true ERC-20 tokens that work according to the spec i.e. audited, etc.. However you can write a malicious ERC-20 with custom transferFrom or approve that have...

Can overflow linear vest calculation and lock up funds

Lines of code Vulnerability details Impact If a Claim object for a user has a large enough vesting time and/or linear vesting amount, then that object can get into a state such that the calculations in baseVestedAmount overflow. If the baseVestedAmount calculations overflow, then the associated...

DoS With Block Gas Limit

Lines of code Vulnerability details Impact Modifying an array of unknown size, that increases in size over time in the function createClaimUnchecked can lead to Deniel of Service. Proof of Concept When smart contracts are deployed or functions inside them are called, the execution of these action...

Upgraded Q -> M from 264 [1663928566317]

Judge has assessed an item in Issue 264 as Medium risk. The relevant finding follows: L-05 Single-step Vetoer transfer is unsafe If the newVetoer is set to the incorrect address, the functionality will be unretrievable. 1 instance of this issue has been found: L-05 NounsDAOLogicV2.solL839-L845...

Race condition on vesting revokes

Lines of code Vulnerability details Impact Race condition with vesting revokes, frontrunning decides who gets the funds. Proof of Concept An admin can revoke a vesting for a given receiver. Revoking will disallow the receiver to get his already released tokens since active will be set to false an...

Rebasing tokens can ruin the claiming

Lines of code Vulnerability details Rebasing tokens has the ability to use all the funds before all the recipients fulfilled their vestings. This can happen as the system records balance in nominals terms, while it can be rebased thereafter, which will create a discrepancy with system's accountin...

Reentrancy in withdrawAdmin() function

Lines of code Vulnerability details Impact When ERC777 token is used as the vested token, an admin can reenter withdrawAdmin function before tokens have actually been sent and balance of the vesting contract changed and bypass the amountRemaining requirement check, resulting in withdrawing all...

VariableSupplyERC20Token bypass max supply

Lines of code Vulnerability details Impact When minting the tokens in VariableSupplyERC20Token the mintableSupply is reduced, thus you can bypass the max supply limit once it hits 0 because 0 means unlimited. As far as I understand, the total supply should never reach the cap set in the construct...

User will lose rewards

Lines of code Vulnerability details Impact User will lose there rewards even when vesting period has completed. Also the reward will get stuck in the contract with no one able to retrieve them Proof of Concept 1. Admin creates a new claim using createClaim function function createClaim address...

THE amountRemaining IN withdrawAdmin() IS UNDERFLOW

Lines of code Vulnerability details Impact Allocated tokens can get messed up when the amountRemaining in the withdrawAdmin function is underflowed in rare cases. This will make 'numTokensReservedForVesting' will have a larger amount of funds compared to the funds in the token. This will make it...

In VTVLVesting._baseVestedAmount(), the funds might be locked inside the contract forever with uint112 overflow.

Lines of code Vulnerability details Impact In VTVLVesting.baseVestedAmount, the funds might be locked inside the contract forever with uint112 overflow. Currently, it doesn't consider uint112 overflow during multiply and it's very likely to happen when the vesting duration is not short like 1 yea...

Can't create another claim for user which his claim was revoked / ended

Lines of code Vulnerability details Impact The admin can accidentally create the wrong claim for a user and then revoke it, or he would like to renew a vesting for a user which his vesting was ended. However, this is not possible, because the current claim's fields are not zeroed when it is revok...

Claim can only be created for a recipient once

Lines of code Vulnerability details Claim can only be created for a recipient once The function creating claims, createClaimUnchecked, has the hasNoClaim modifier, that is defined as opposite hasActiveClaim, meaning it reverts if there is an active claim for a user. It reverts if...

numTokensReservedForVesting is not compared with contract balance

Lines of code Vulnerability details Impact In VTVLVesting contract, the claims are created without comparing the numTokensReservedForVesting variable to the contract balance. If the sum of all user vesting tokens is below this param then the contract will be insolvent to be withdrawn. Proof of...

UNBOUNDED LOOPS MAY CAUSE createClaimsBatch() TO FAIL

Lines of code Vulnerability details Impact There are no limits on the number of claims, which may cause the feature to fail due to a certain number of claims entered. Proof of Concept There are no upper bounds on this loop: FIle: contracts/VTVLVesting.sol for uint256 i = 0; i Recommended Mitigati...

VariableSupplyERC20Token cannot be deployed due to wrong access control

Lines of code Vulnerability details Impact VariableSupplyERC20Token contract cannot be deployed resulting in not functioning contract. Proof of Concept mint function is called in the constructor of VariableSupplyERC20Token contract. constructorstring memory name, string memory symbol, uint256...

Two address tokens can be withdrawn by the admin even if they are vested

Lines of code Vulnerability details Impact Two address tokens exists in the blockchain. For example, Synthetix's ProxyERC20 contract is such a token which exists in many forms sUSD, sBTC.... Tokens as such can be vested, but the admin can withdraw them even if they are vested by providing the oth...

Vesting revoke will disallow receiver from receiving already unlocked tokens

Lines of code Vulnerability details Impact Unfair loss of tokens for the receiver. Proof of Concept Vesting is used by employers to align incentives in startups and prevent employees from leaving the company if they want to get the vested tokens. This is why a revoke function was included. From t...

error in calculation of vested amount

Lines of code Vulnerability details Impact The function vestedAmount can return a wrong value of vested amount. Proof of Concept The function vestedAmount calculates the vested amount of a recipient at a given time,referenceTs. The problem is that if the referenceTs is in the past and the user ha...

Remove the withdrawOtherToken function (phishing)

Lines of code Vulnerability details Impact This function can be only called by admins. Remove the withdrawOtherToken function to prevent you from phishing attacks. Proof 1. Attacker will send the fake tokens to your contract address. 2. Now there are 100% chances, admin of vesting contract will b...

Wrong accounting logic when syncRewards() is called within beforeWithdraw makes withdrawals impossible

Lines of code Vulnerability details Impact sfrxETH.beforeWithdraw first calls the beforeWithdraw of xERC4626, which decrements storedTotalAssets by the given amount. If the timestamp is greater than the rewardsCycleEnd, syncRewards is called. However, the problem is that the assets have not been...

Overflow in _baseVestedAmount() prevents claims to be retrieved

Lines of code Vulnerability details Impact Rewards of high value will be unable to be withdrawn since claimableAmount will revert. Proof of Concept In line 176, if we assume there's a claim of a token with 18 decimals and a vesting of 1 year, which is a realistic vesting period that can be observ...

Limited supply of VariableSupplyERC20Token can be bypassed to mint an infinite amount of tokens

Lines of code Vulnerability details Limited supply of VariableSupplyERC20Token can be bypassed to mint an infinite amount of tokens VariableSupplyERC20Token is defined as A ERC20 token contract that allows minting at will, with limited or unlimited supply. No burning possible In the case of a...