Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Past start time in vesting schedule creation enables shorter vesting periods

dobrevaleri

Summary

The RAACReleaseOrchestrator::createVestingSchedule() function allows setting vesting start times in the past, which can be exploited to significantly reduce the intended vesting duration.

Vulnerability Details

In RAACReleaseOrchestrator::createVestingSchedule(), there is no validation to ensure the startTime parameter is not set to a past timestamp:

function createVestingSchedule(
address beneficiary,
bytes32 category,
uint256 amount,
uint256 startTime
) external onlyRole(ORCHESTRATOR_ROLE) whenNotPaused {
// ... other validations ...
VestingSchedule storage schedule = vestingSchedules[beneficiary];
schedule.startTime = startTime; // No validation that startTime is not in the past
schedule.duration = VESTING_DURATION;
// ...
}

This means an orchestrator can set the start time to a past date, effectively reducing the actual vesting period since _calculateReleasableAmount uses block.timestamp - schedule.startTime to determine vested amounts.

Impact

  • Vesting schedules can be created with significantly shorter effective durations than the intended 700 days

Recommendations

  1. Add a strict validation to ensure start time is in the future:

function createVestingSchedule(
address beneficiary,
bytes32 category,
uint256 amount,
uint256 startTime
) external onlyRole(ORCHESTRATOR_ROLE) whenNotPaused {
+ if (startTime < block.timestamp) revert StartTimeMustBeFuture();
// ... rest of the function
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!