The _validateVestSchedule function in the ILOVest.sol should validate the vesting schedule timelines and must check that it does schedules do not overlap.
The logic to check for overlaps works fine, but it does not check for the case where start > end in the schedule.
This can revert the _unlockedLiquidity function's calculations, thus reverting the claim process. It can lead to funds getting stuck in the contract.
Proof of Concept
Admin of the contract initializes the ILOPool with incorrect vesting timelines where start=10000 and end=5000.
It will pass the _validateSharesAndVests and all other validation in the ILOPool's initialization process.
The Pool is launched and now the user's try to claim.
Lines of code
https://github.com/code-423n4/2024-06-vultisig/blob/cb72b1e9053c02a58d874ff376359a83dc3f0742/src/base/ILOVest.sol#L43
Vulnerability details
Impact
The
_validateVestSchedule
function in the ILOVest.sol should validate the vesting schedule timelines and must check that it does schedules do not overlap.The logic to check for overlaps works fine, but it does not check for the case where
start > end
in the schedule.This can revert the
_unlockedLiquidity
function's calculations, thus reverting the claim process. It can lead to funds getting stuck in the contract.Proof of Concept
_validateSharesAndVests
and all other validation in the ILOPool's initialization process._unlockedLiquidity
function.Tools Used
Manual Review
Recommended Mitigation Steps
Add a check for
start < end
Assessed type
Invalid Validation