0xLeveler - user tokens can be claimed by anyone #280

sherlock-admin4 · 2024-11-17T18:29:07Z

0xLeveler

High

user tokens can be claimed by anyone

Summary

while a user submits the claimParams the tokens are sent to the caller of the function, which is anyone that can see the transaction in the mempool and frontrun the actual owner.

Root Cause

This is the entire claim function with insufficient validation
https://github.com/sherlock-audit/2024-11-vvv-exchange-update/blob/main/vvv-platform-smart-contracts/contracts/vc/VVVVCTokenDistributor.sol#L106-L136

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

user calls the claim function with valid claim params signed offchain by the signer.
any other user can see this claim in the mempool and submit it to withdraw all the user tokens due to lack of validation

Impact

Loss of investment returns for the user

PoC

No response

Mitigation

add validation to ensure that the claim is for the kycAddress that invested in the first place.

The text was updated successfully, but these errors were encountered:

sherlock-admin3 changed the title ~~Upbeat Red Duck - user tokens can be claimed by anyone~~ 0xLeveler - user tokens can be claimed by anyone Nov 23, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

0xLeveler - user tokens can be claimed by anyone #280

0xLeveler - user tokens can be claimed by anyone #280

sherlock-admin4 commented Nov 17, 2024 •

edited by sherlock-admin3

Loading

0xLeveler - user tokens can be claimed by anyone #280

0xLeveler - user tokens can be claimed by anyone #280

Comments

sherlock-admin4 commented Nov 17, 2024 • edited by sherlock-admin3 Loading

user tokens can be claimed by anyone

Summary

Root Cause

Internal pre-conditions

External pre-conditions

Attack Path

Impact

PoC

Mitigation

sherlock-admin4 commented Nov 17, 2024 •

edited by sherlock-admin3

Loading