Maturity Date Manipulation Risk Due to Missing Validation
Description
The ZENO token contract's constructor currently lacks crucial validation for the MATURITY_DATE parameter. While the date becomes immutable after deployment, the absence of proper validation during construction could allow the setting of invalid values, potentially compromising the entire redemption functionality of the contract.
Affected code
Vulnerability details
The current implementation accepts any timestamp value for MATURITY_DATE without validation. This could result in the maturity date being set to a past date accidentally, or to an unreasonably distant future date. Such a scenario could permanently break the redemption functionality, as the isRedeemable() check would either always return true (for past dates) or false (for distant future dates). This vulnerability is particularly concerning because the immutable nature of the MATURITY_DATE means it cannot be corrected after deployment.
Tools Used
Manual Review
Recommended Mitigation Steps
The contract should implement strict validation in the constructor to ensure the MATURITY_DATE is set to a reasonable and valid value. This validation should include checks for minimum and maximum bounds, ensuring the date is in the future but not unreasonably distant. Here's the recommended implementation:
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.