The `startingTimestamp` of each vesting (Seed, Presale, IBO, Team, DAO) may not be aligned due to lack of the validation

[hats-bug-reporter[bot]]

Github username: @0xmuxyz Submission hash (on-chain): 0xde1ce1a5294a9c9ece3d09a04ccabbb90f6e23987939bf96c1d57eb3a25a010e Severity: medium

Description: Title:\ The startingTimestamp of each vesting (Seed, Presale, IBO, Team, DAO) may not be aligned due to lack of the validation

Severity:\ Medium

Description:\ Within the VestingCvg contract, the vestingSchedules storage would be defined to associate vestingScheduleId with the vesting schedule info (the VestingSchedule struct) like this: VestingCvg.sol#L73

    /// @dev VestingScheduleId associated to the vesting schedule info
    mapping(uint256 => VestingSchedule) public vestingSchedules; // vestingScheduleId =>  VestingSchedule

Within the VestingCvg contract, the VestingSchedule struct would be defined. the startTimestamp and the vestingType would be defined as a property of the VestingSchedule struct like this: VestingCvg.sol#L28 VestingCvg.sol#L31

    /// @dev Struct Info about VestingSchedules
    struct VestingSchedule {
        bool revoked;
        uint184 startTimestamp; /// @audit
        uint16 daysBeforeCliff; 
        uint16 daysAfterCliff;
        uint8 vestingType;  /// @audit
        uint24 dropCliff;
        uint256 totalAmount;
        uint256 totalReleased;
    }

Within the VestingCvg#createVestingSchedule(), the _startTimestamp would be stored into the startTimestamp property of the vestingSchedules storage of the vestingScheduleId (vestingSchedules[nextVestingScheduleId]). By being done so, each vesting data like below would be associated in the vestingSchedules storage:

• the vestingScheduleId
• the vestingType
• the startTimestamp

VestingCvg.sol#L173 VestingCvg.sol#L176 VestingCvg.sol#L205 VestingCvg.sol#L208

    /**
     * @notice Create vestingScheduleId for a specific type of presalers
                    - function only usable by owner
                    - update the total CVG amount available on this contract
     * @param _totalAmount total CVG amount allocated for the presaler type
     * @param _startTimestamp start timestamp of the vesting, every vesting should have the same start  ///<-------------------- @audit
     * @param _daysBeforeCliff daysBeforeCliff - period in days between start of the schedule and the cliff
     * @param _daysAfterCliff daysAfterCliff - period in days between the cliff and the end of the vesting
     * @param _vestingType type presaler vesting (ex : 1=SEED/PRESEED, 2=WL_S, 3=WL_M, 4=WL_L, 5=TEAM, 6=DAO)
     * @param _dropCliff Percent drop at the daysBeforeCliff release (per 1000) => 50% = 500 / 5% = 50
     */
    function createVestingSchedule(
        uint256 _totalAmount,
        uint184 _startTimestamp, ///<-------------------- @audit
        uint16 _daysBeforeCliff,
        uint16 _daysAfterCliff,
        uint8 _vestingType,  ///<-------------------- @audit
        uint24 _dropCliff
    ) external onlyOwner {
        ...
        //set struct vesting
        vestingSchedules[nextVestingScheduleId] = VestingSchedule({
            revoked: false,
            totalAmount: _totalAmount,
            totalReleased: 0,
            startTimestamp: _startTimestamp, ///<-------------------- @audit
            daysBeforeCliff: _daysBeforeCliff,
            daysAfterCliff: _daysAfterCliff,
            vestingType: _vestingType,  ///<-------------------- @audit
            dropCliff: _dropCliff
        });
        ...

According to the NatSpec of the VestingCvg#createVestingSchedule() above, the _startTimestamp to be assigned as a parameter of each vestingType (Seed, Presale, IBO, Team, DAO) is supposed to have the same starting timestamp like this: VestingCvg.sol#L165

@param _startTimestamp start timestamp of the vesting, every vesting should have the same start

For example,

• Let's say the four vesting schedule (Seed, Presale, Team, DAO) has already been created via the VestingCvg#createVestingSchedule().
• Then, when the owner create a vesting schedule of IBO as the fifth vesting schedule, the _startTimestamp to be assigned into the VestingCvg#createVestingSchedule() is supposed to be same with the four vesting schedule (Seed, Presale, Team, DAO), which has already been created.

However, within the VestingCvg#createVestingSchedule() above, there is no validation to check whether or not the _startTimestamp to be assigned would be same with the startTimestamp of other vestingType (Seed, Presale, IBO, Team, DAO), which are already created.

This lead to a bad situation that each vesting (Seed, Presale, IBO, Team, DAO) has the different starting timestamp, meaning that the starting timestamp (startTimestamp) of each vestingType (Seed, Presale, IBO, Team, DAO) would not be aligned.

Recommendation:\ Within the VestingCvg#createVestingSchedule(), consider adding a validation to check whether or not the _startTimestamp to be assigned would be same with the startTimestamp of other vestingType (Seed, Presale, IBO, Team, DAO), which are already created.

[shalbe-cvg]

Hello, Thanks a lot for your attention.

This issue has already been reported in a previous issue and is a misconfiguration problem that would happen on our side, please check it: https://github.com/hats-finance/Convergence-Finance---IBO-0x0e410e7af8e70fc5bffcdbfbdf1673ee7b3d0777/issues/28

We have so to consider this issue as Invalid.