Nice Chiffon Mandrill
Medium
The nonce validation mechanism in the claim function will cause users to permanently lose access to their claimable tokens as validators can manipulate transaction order, causing higher nonce transactions to be processed before lower ones. When this happens, not only will the lower nonce transaction revert, but the off-chain system may mark both transactions as claimed when only one succeeded, temporarily or permanently preventing users from claiming their full allocation.
In VVVVCTokenDistributor.sol#L115-L117, the nonce validation only checks if the provided nonce is greater than the stored nonce:
if (_params.nonce <= nonces[_params.kycAddress]) {
revert InvalidNonce();
}This check assumes transactions will be processed in ascending nonce order, but validators can reorder transactions in a block, processing higher nonces before lower ones.
- User has multiple valid signed claim transactions with different nonces
- Transactions are submitted close together in time
No response
- User submits two claim transactions:
- Transaction A with nonce 4
- Transaction B with nonce 5
- Validator includes Transaction B (nonce 5) first in the block
nonces[_params.kycAddress]is updated to 5- Transaction A (nonce 4) is processed next but reverts because 4 <= 5
- Failed transactions and lost gas fees as their legitimate claim transactions revert due to transaction reordering
- Potential permanent loss of claimable tokens as the off-chain system may mark both transactions as "claimed" when only the second transaction actually succeeded on-chain. This desynchronization between off-chain and on-chain state could permanently prevent users from claiming their full entitled token amount
The impact is amplified by the fact that there's no clear recovery mechanism - once the off-chain system marks tokens as claimed, users might have no recourse to claim the tokens that were lost due to the failed transaction, effectively losing a portion of their allocation permanently.
No response
No response