Past Start Time For Vesting Schedule Is Allowed
Summary
In the RAACReleaseOrchestrator.sol contract the createVestingSchedule function does not check if the startTime is in the past, which can lead to inconsistencies in the vesting schedule.
Vulnerability Details
The vulnerability arises from the createVestingSchedule function, which allows the creation of vesting schedules with a startTime in the past. This omission can lead to inconsistencies in the vesting schedule, as the vesting period may have already started or even ended by the time the schedule is created. This can result in immediate vesting of tokens or incorrect calculation of the vesting period.
Impact
Allowing vesting schedules to be created with a startTime in the past can lead to immediate vesting of tokens, bypassing the intended vesting period. This can result in the premature release of tokens, undermining the vesting mechanism's purpose of gradually releasing tokens over time. It can also lead to incorrect calculations of the vesting period, causing confusion and potential disputes among stakeholders.
Tools Used
Manual Review
Recommendations
To mitigate this vulnerability, add a check in the createVestingSchedule function to ensure that the startTime is not in the past.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.