Vanguard
First Flight #56
Beginner FriendlyDeFiFoundry
0 EXP
View all submissions
Previous Next
Submission Details
Impact: low
Likelihood: low

Missing Validation to Ensure Phase 1 Penalty is Greater Than Phase 2

Author Revealed upon completion

Missing Validation to Ensure Phase 1 Penalty is Greater Than Phase 2

Description

The project documentation explicitly states that Phase 1 should have "high penalties" while Phase 2 has "moderate penalties," implying a design requirement where phase1PenaltyBps > phase2PenaltyBps.

However, the TokenLaunchHook constructor does not enforce this relationship. It allows phase2PenaltyBps to be greater than or equal to phase1PenaltyBps, potentially leading to a misconfigured state that violates the intended economic design of the launch.

// src/TokenLaunchHook.sol
constructor(...) {
// ...
if (
_phase1LimitBps > 10000 || _phase2LimitBps > 10000 || _phase1PenaltyBps > 10000 || _phase2PenaltyBps > 10000
@> ) revert InvalidConstructorParams(); //q does it need that phase2 always is greater than phase1?
// Missing check: _phase1PenaltyBps > _phase2PenaltyBps

Risk

Likelihood:

  • Depends on deployer input.

Impact:

  • Could lead to wrong information if misconfigured,

Proof of Concept

Recommended Mitigation

Add a requirement in the constructor to enforce the intended penalty hierarchy.

if (
_phase1LimitBps > 10000 || _phase2LimitBps > 10000 || _phase1PenaltyBps > 10000 || _phase2PenaltyBps > 10000
) revert InvalidConstructorParams();
+ if (_phase1PenaltyBps <= _phase2PenaltyBps) revert InvalidConstructorParams();

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!