Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

startTime` Can Be Set to a Past Date in `createVestingSchedule`

pelz

Summary

The createVestingSchedule function allows the startTime to be set to a date earlier than the current block timestamp. This enables creating vesting schedules that are already partially or fully vested upon creation, potentially allowing beneficiaries to claim tokens immediately.

Vulnerability Details

The current implementation does not validate the startTime:

schedule.startTime = startTime; // @audit-issue startTime can be set at a date less than block.timestamp

Impact

  • Loss of intended time-locking mechanism, undermining vesting integrity.

  • Potential financial risks if large token allocations become instantly available.

  • Unfair advantage to malicious orchestrators who can backdate vesting schedules.

Tools Used

Manual code review.

Recommendations

Add a validation check to ensure the startTime is not in the past:

if (startTime < block.timestamp) revert InvalidStartTime();

This enforces that vesting schedules can only start at the current or future timestamps, preserving their intended function.

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.