search

code-423n4 / 2024-06-vultisig-validation

0 stars 0 forks source link

Invalid validation of vesting schedule #661

Open c4-bot-4 opened 2 months ago

c4-bot-4 commented 2 months ago

Lines of code

https://github.com/code-423n4/2024-06-vultisig/blob/cb72b1e9053c02a58d874ff376359a83dc3f0742/src/base/ILOVest.sol#L43

Vulnerability details

Impact

The _validateVestSchedule function in the ILOVest.sol should validate the vesting schedule timelines and must check that it does schedules do not overlap.

The logic to check for overlaps works fine, but it does not check for the case where start > end in the schedule.

This can revert the _unlockedLiquidity function's calculations, thus reverting the claim process. It can lead to funds getting stuck in the contract.

Proof of Concept

  1. Admin of the contract initializes the ILOPool with incorrect vesting timelines where start=10000 and end=5000.
  2. It will pass the _validateSharesAndVests and all other validation in the ILOPool's initialization process.
  3. The Pool is launched and now the user's try to claim.
  4. It reverts in the _unlockedLiquidity function.

Tools Used

Manual Review

Recommended Mitigation Steps

Add a check for start < end

Assessed type

Invalid Validation

Haupc commented 2 months ago

Hi @alex-ppg, This report is valid to us. Could you please take a look?