⛳Missing hasStarted Modifier
The vulnerability arises when the vesting contract allows users to call a function like claimConverted()
before the vesting period has started. If no check is in place to verify that the vesting schedule has begun, users can claim tokens prematurely, violating the intended token lock-up period.
How the Vulnerability Occurs
In a vulnerable contract, the function responsible for allowing users to claim vested tokens (e.g., claimConverted()
) does not verify whether the vesting schedule has started. This means that users can call the function at any time, even if the owner or administrator of the contract has not yet initiated the vesting period. Without a hasStarted
modifier, there is no protection to prevent early claims.
Mitigation: Adding the hasStarted
Modifier
hasStarted
ModifierTo prevent users from claiming tokens before the vesting period has started, we need to implement a hasStarted
modifier that checks whether the vesting has been officially initiated by the owner or contract administrator. This modifier should ensure that no claims can be made until the vesting schedule begins.
Conclusion
Vesting contracts without proper checks to enforce the start of the vesting period are vulnerable to users claiming tokens before the owner initiates the vesting schedule. This vulnerability can disrupt the intended token distribution plan and undermine trust in the contract.
To mitigate this issue, it is crucial to implement a hasStarted
modifier that ensures users can only claim tokens after the vesting period has officially begun. By adding this safeguard and allowing only the owner to start the vesting, you can secure the vesting process and maintain control over token distribution timelines.
Following this approach will ensure that tokens are vested and claimed according to the intended schedule, protecting both the project and its participants from early token claims.
Last updated