Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Lack of startTime validation in function createVestingSchedule() in RAACReleaseOrchestrator.sol contract

dystopiaxyz

Summary

The function createVestingSchedule lacks validation for the startTime parameter, allowing schedules to be created with a start time in the past. This could lead to unexpected vesting behavior, potential unfair advantage, or incorrect accounting of vested tokens.

Vulnerability Details

function createVestingSchedule(

address beneficiary,

bytes32 category,

uint256 amount,

uint256 startTime //lack of startTime validation : if (startTime < block.timestamp) revert InvalidStartTime();

) external onlyRole(ORCHESTRATOR_ROLE) whenNotPaused {

if (beneficiary == address(0)) revert InvalidAddress();

if (amount == 0) revert InvalidAmount();

if (vestingSchedules[beneficiary].initialized) revert VestingAlreadyInitialized();

if (categoryAllocations[category] == 0) revert InvalidCategory();

// Check category allocation limits

uint256 newCategoryTotal = categoryUsed[category] + amount;

if (newCategoryTotal > categoryAllocations[category]) revert CategoryAllocationExceeded();

categoryUsed[category] = newCategoryTotal;

VestingSchedule storage schedule = vestingSchedules[beneficiary];

schedule.totalAmount = amount;

schedule.startTime = startTime;

schedule.duration = VESTING_DURATION;

schedule.initialized = true;

emit VestingScheduleCreated(beneficiary, category, amount, startTime);

}

Start Time Can Be Set in the Past

The function does not check if startTime is less than the current block timestamp (block.timestamp).
A malicious or careless caller could set a vesting schedule as if it had started in the past, potentially allowing instant or accelerated vesting.

Potential Exploits

Early Claiming of Tokens: If vesting is based on time calculations, setting a past startTime could immediately unlock tokens instead of following the intended vesting schedule.
Unnecessary creating vesting schedules that don't make sense expoliting gas and storage.

Impact

Tokens may vest earlier than expected, breaking the intended lockup period.
Users may gain an unfair advantage by setting a startTime in the past and claiming tokens immediately.
Accounting and vesting calculations may be inaccurate, affecting treasury management.

Tools Used

Manual Review

Recommendations

Validate startTime to Ensure It’s Not in the Past, Add the below line to the start of the function.

if (startTime < block.timestamp) { revert InvalidStartTime(); }

Updates

Lead Judging Commences

inallhonesty Lead Judge about 2 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.