Lack of a logic to `reset` the vesting term of an existing bonding position

[hats-bug-reporter[bot]]

Github username: @@0xmuxyz Submission hash (on-chain): 0xee0c47fe9a46f61b12cbf11ad4d3348634f24ac26c92e46aa37cb44f5a6c4d6d Severity: medium

Description: Title:\ Lack of a logic to reset the vesting term of an existing bonding position

Severity:\ Medium

Description:\ The ibo#deposit() can be called by both a new user and an existing IBO NFT holder (of the bond):

• When a new user call the ibo#deposit(), the new user can deposit their assets into a bond of specified bondId and receive a IBO NFT-minted.
• When an existing IBO NFT holder for the bond of specified bondId call the ibo#deposit(), the existing IBO NFT holder can increase the amount of the deposited-assets (bonded-assets) in the bond in order to increase the amount of $CVG tokens that can be redeemed.

Ibo.sol#L142-L220

    /**
     *  @notice deposit into a bond to get an NFT with an underlaying value of CVG
     *  @param tokenId uint256
     *  @param bondId uint256
     *  @param amountIn uint256
     *  @param amountOutMin uint256
     *  @param privilegeType uint256
     *  @param _merkleProof bytes32[]
     */
    function deposit(
        uint256 tokenId, 
        uint256 bondId,  
        uint256 amountIn,
        uint256 amountOutMin,
        uint256 privilegeType,
        bytes32[] calldata _merkleProof
    ) external {
         ...

According to the "Tokenized bonds" in the documentation, the vesting term of the existing position is supposed to be reset when an existing IBO NFT holder try to deposit their assets iteratively like this:

Users may iterate on an existing bonding position or create a new one at any time. However, iterating on an existing position (increase the amount of bonded asset and thus increase the amount of CVG that can be redeemed) will reset the vesting term.

However, within the ibo#deposit() above, there is no logic to reset a vesting term of an existing position when awhen an existing IBO NFT holder call the ibo#deposit() to increase the amount of bonded-asset.

This lead to unintended-behavior of this protocol that a vesting term of an existing bonding position would not be reset when an existing IBO NFT holder call the ibo#deposit() to increase the amount of bonded-asset.

Recommendation:\ Within the ibo#deposit(), consider a logic to reset a vesting term of an existing position when an existing IBO NFT holder deposit the amount of asset to increase the amount of bonded-asset like this:

• Every single time when a caller of the ibo#deposit() is an existing IBO NFT holder, the start timestamp of IBO would be updated to reset the vesting term of the existing bonding position and it would be stored into the iboLatestStartTimestamps storage.

• At the validation for a bond expiration, the iboLatestStartTimestamps storage, which the updated-starting timestamp would be stored, would be used instead of the _iboStartTimestamp.

• mapping(uint256 => uint256) public iboLatestStartTimestamps;

  ...

  function deposit( uint256 tokenId, /// @audit info - "token ID" would be associated with the IBO NFT. uint256 bondId, /// @audit info - "bond ID" would be associated with the underlyin tokens ($FRAX, $CRV, $CVX). uint256 amountIn, uint256 amountOutMin, uint256 privilegeType, bytes32[] calldata _merkleProof ) external { ... BondParams memory _bondParams = bondsParams[bondId]; uint256 cvgToSold; uint256 _tokenId; uint256 depositedUsdValue; uint256 _totalCvgDue = totalCvgDuePerBond[bondId];

• if (tokenId != 0) {

• require(ownerOf(tokenId) == msg.sender, "The caller does not have the tokenId of IBO NFT");

• iboLatestStartTimestamps[tokenId] = block.timestamp;

• }

  {
      bool isPrivilege;
      uint256 _iboStartTimestamp = iboStartTimestamp;
  
      /// @dev peprivilege
      if (block.timestamp < _iboStartTimestamp + 69 * 1 minutes) {
          require(merkleVerifyWl(_merkleProof, privilegeType), "INVALID_PROOF");
          isPrivilege = true;
      }
  
      /// @dev Bond expired after 6h

• require(block.timestamp <= iboLatestStartTimestamps[tokenId] + IBO_DURATION, "BOND_INACTIVE");

• require(block.timestamp <= _iboStartTimestamp + IBO_DURATION, "BOND_INACTIVE");

[walk-on-me]

Hello, Thanks a lot for your attention.

It's more a lack of documentation on the IBO level. This kind of vesting that'll reset will be used in the bonds we'll deploy with the full protocol. For the IBO, the vesting will start at the same time for everyone Also, the vesting of the IBO will start after the end of the IBO, so no collisions are possible.

We have so to consider this issue as Invalid