Liquid Staking
Stakelink
DeFiHardhatOracle
50,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

test/vesting/vesting.test.ts

kp8877

To analyze the provided code and identify vulnerabilities while proposing improvements, we will focus on key areas including security practices, code structure, gas optimization, and maintainability.

Vulnerabilities Identified

  1. Lack of Access Control:

    • The terminateVesting and releaseRemaining functions should have access control mechanisms (e.g., onlyOwner, onlyBeneficiary) to ensure that only authorized accounts can call these functions.

  2. Time Manipulation:

    • The code relies on block timestamps for determining the vesting schedule. If the underlying blockchain allows miners to manipulate block timestamps, this could lead to unintended outcomes (e.g., premature termination).

  3. Magic Numbers:

    • The vesting duration (86400 * 10) is hardcoded, making the code less readable and maintainable. Consider using named constants instead.

  4. Error Handling:

    • There is no error handling for functions like mint, transfer, or vesting-related functions. If these operations fail, it could lead to unintentional behavior.

  5. Token Transfer Assumptions:

    • The code assumes that all token transfers will succeed without checks. If the transfer fails (e.g., insufficient balance), the test could produce misleading results.

Proposed Improvements

  1. Implement Access Control:

    • Use OpenZeppelin's AccessControl or Ownable for managing permissions on critical functions like terminateVesting and releaseRemaining.

    import "@openzeppelin/contracts/access/Ownable.sol";
    contract Vesting is Ownable {
    ...
    function terminateVesting(address[] calldata tokens) external onlyOwner {
    // implementation
    }
    function releaseRemaining(address token) external onlyBeneficiary {
    // implementation
    }
    }

  2. Use Named Constants:

    • Define constants for key values to improve readability.

    const VESTING_DURATION = 86400 * 10; // 10 days

  3. Error Handling:

    • Ensure that critical operations check for success and revert if they fail. Use try-catch blocks or revert statements as needed.

    await sdlToken.mint(accounts[0], toEther(1000)).catch((error) => {
    console.error("Minting failed:", error);
    throw error;
    });

  4. Avoid Time Manipulation Reliance:

    • Instead of relying solely on block timestamps, consider incorporating a method to validate if the function can be called based on the state of the vesting.

    require(block.timestamp >= start + duration, "Vesting period not over yet");

  5. Improved Test Assertions:

    • Include checks to ensure that the expected state of the contract and accounts matches expected values after operations. This would include assertions for failed operations or reverting.

    await assert.isRejected(
    vesting.terminateVesting([adrs.sdlToken]),
    "Only owner can terminate vesting"
    );

  6. Comprehensive Testing:

    • Add more test cases to cover edge cases, such as trying to terminate vesting before the duration has elapsed or calling releaseRemaining without being the beneficiary.

Example of Refactored Code

Here's an example of how the test setup might look after applying some of these suggestions:

import { toEther, deploy, getAccounts, fromEther } from '../utils/helpers'
import { StakingAllowance, Vesting } from '../../typechain-types'
import { assert } from 'chai'
import { loadFixture, time } from '@nomicfoundation/hardhat-network-helpers'
import { ethers } from 'hardhat'
const VESTING_DURATION = 86400 * 10; // 10 days
describe('Vesting', () => {
async function deployFixture() {
const { accounts } = await getAccounts();
const adrs: any = {}
const sdlToken = (await deploy('StakingAllowance', [
'Stake Dot Link',
'SDL',
])) as StakingAllowance;
adrs.sdlToken = await sdlToken.getAddress();
const start: number = (await ethers.provider.getBlock('latest')).timestamp;
const vesting = (await deploy('Vesting', [
accounts[0],
accounts[1],
start,
VESTING_DURATION,
])) as Vesting;
adrs.vesting = await vesting.getAddress();
await sdlToken.mint(accounts[0], toEther(1000));
await sdlToken.transfer(adrs.vesting, toEther(1000));
return { accounts, adrs, sdlToken, start, vesting };
}
it('vars should be correctly set', async () => {
const { accounts, start, vesting } = await loadFixture(deployFixture);
assert.equal(await vesting.owner(), accounts[0]);
assert.equal(await vesting.beneficiary(), accounts[1]);
assert.equal(Number(await vesting.start()), start);
assert.equal(Number(await vesting.duration()), VESTING_DURATION);
});
it('should be able to terminate vesting', async () => {
const { accounts, adrs, start, vesting, sdlToken } = await loadFixture(deployFixture);
await time.setNextBlockTimestamp(start + 4 * 86400);
await vesting.terminateVesting([adrs.sdlToken]);
await vesting.releaseRemaining(adrs.sdlToken);
assert.equal(fromEther(await sdlToken.balanceOf(accounts[0])), 600);
assert.equal(fromEther(await sdlToken.balanceOf(accounts[1])), 400);
assert.equal(fromEther(await sdlToken.balanceOf(adrs.vesting)), 0);
});
});

Conclusion

By implementing access controls, using constants for magic numbers, enhancing error handling, and ensuring comprehensive testing, you can significantly improve the security, maintainability, and robustness of your smart contract code. This will help prevent vulnerabilities and ensure that the intended logic functions correctly.

Updates

Lead Judging Commences

inallhonesty Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Lack of quality

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.