search

hats-finance / Convergence-Finance---IBO-0x0e410e7af8e70fc5bffcdbfbdf1673ee7b3d0777

IBO, Vesting & Bond mecanism repo prepared for Hat finance audit competition
0 stars 0 forks source link

Code doesn't work as per specification #28

Open hats-bug-reporter[bot] opened 1 year ago

hats-bug-reporter[bot] commented 1 year ago

Github username: @iamjakethehuman Submission hash (on-chain): 0x0b28be62db73240245d01c2bf48760ce80ef282a6a95a0dc622f39d4b5ca80f8 Severity: medium

Description: Description\ Code doesn't follow the logic it states in its comments

Attack Scenario\ Referring to the inline comments in VestingCvg#createVestingSchedule

        * @param _startTimestamp start timestamp of the vesting, every vesting should have the same start

As stated in the comments, the _startTimestamp of all vesting schedules must be the same. However, such logic is not actually implemented.

    function createVestingSchedule(
        uint256 _totalAmount,
        uint184 _startTimestamp,
        uint16 _daysBeforeCliff,
        uint16 _daysAfterCliff,
        uint8 _vestingType,
        uint24 _dropCliff
    ) external onlyOwner {
        require(
            presaleSeed.saleState() == IPresaleCvgSeed.SaleState.OVER &&
                presaleWl.saleState() == IPresaleCvgWl.SaleState.OVER,
            "PRESALE_ROUND_NOT_FINISHED"
        );
        require(getWithdrawableAmount() >= _totalAmount, "AMOUNT");
        require(_totalAmount > 0, "LTE_AMOUNT");

        if (_vestingType == TYPE_TEAM) {
            require(_totalAmount == MAX_SUPPLY_TEAM, "WRONG_AMOUNT_TEAM");
        }

        if (_vestingType == TYPE_DAO) {
            require(_totalAmount == MAX_SUPPLY_DAO, "WRONG_AMOUNT_DAO");
        }

        uint256 vestingScheduleId = nextVestingScheduleId;
        vestingSchedulesIds.push(vestingScheduleId);

        vestingSchedulesTotalAmount += _totalAmount;

        //set struct vesting
        vestingSchedules[nextVestingScheduleId] = VestingSchedule({
            revoked: false,
            totalAmount: _totalAmount,
            totalReleased: 0,
            startTimestamp: _startTimestamp,
            daysBeforeCliff: _daysBeforeCliff,
            daysAfterCliff: _daysAfterCliff,
            vestingType: _vestingType,
            dropCliff: _dropCliff
        });

        vestingIdForType[_vestingType] = nextVestingScheduleId;
        nextVestingScheduleId++;
    }

Attachments

  1. Proof of Concept (PoC) File

  2. Revised Code File (Optional) Add such logic as stated in the inline comments

walk-on-me commented 1 year ago

Hello, Thanks a lot for your attention.

This is an issue only if there is a problem in the configuration made during the deployment.

We don't consider configuration issue as a breach We have so to label this issue as Invalid