search

sherlock-audit / 2024-01-rio-vesting-escrow-judging

3 stars 2 forks source link

sonny2k - Missing check on vesting end when deploying a new Vesting Escrow #118

Closed sherlock-admin closed 9 months ago

sherlock-admin commented 9 months ago

sonny2k

high

Missing check on vesting end when deploying a new Vesting Escrow

Summary

There is no check if vesting end is in the past

Vulnerability Detail

In deployVestingContract(), Factory owner may mistakenly put vesting start and vesting period in the past

Impact

The vesting period will end immediately and recipient can claim all the fund without waiting

Code Snippet

https://github.com/sherlock-audit/2024-01-rio-vesting-escrow/blob/main/rio-vesting-escrow/src/VestingEscrowFactory.sol#L51

Tool used

Manual Review

Recommendation

Perform a validation in deployVestingContract():

+ if (vesting_start + vesting_duration <= block.timestamp) revert INVALID_VESTING_END();

Duplicate of #101

sherlock-admin2 commented 9 months ago

1 comment(s) were left on this issue during the judging contest.

pratraut commented:

'valid as check on a start time is must to prevent owner deploying vesting contract with start time from past'