Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Lack of Maturity Date Validation Can Lead to Permanently Locked User Tokens

zuhaib44

Summary

The ZENO contract's constructor accepts a _maturityDate parameter without validating if it's set to a future timestamp. Since this value is immutable and used to determine token redeemability, setting it to a past timestamp or zero would permanently prevent users from redeeming their tokens.

Vulnerability Details

In the constructor:

constructor(
address _usdc,
uint256 _maturityDate,
string memory _name,
string memory _symbol,
address _initialOwner
) Ownable(_initialOwner) ERC20(_name, _symbol) {
USDC = IERC20(_usdc);
MATURITY_DATE = _maturityDate; // No validation of the maturity date
}

The isRedeemable() function uses this timestamp to determine if tokens can be redeemed:

function isRedeemable() public view returns (bool _redeemable) {
_redeemable = (block.timestamp >= MATURITY_DATE);
}

If MATURITY_DATE is set to 0 or a past timestamp during deployment:

  1. isRedeemable() will always return false

  2. All redeem attempts will revert due to the BondNotRedeemable() check

  3. Users' tokens will be permanently locked in the contract

Impact

  • it can result in permanent loss of user funds

  • No way to modify the maturity date after deployment due to immutability

  • Affects all users who mint tokens in the affected contract instance

Tools Used

Manual

Recommendations

Add validation in the constructor to ensure the maturity date is set to a future timestamp

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.