Inadequate Validation of startTime parameter in VestingEscrowFactory Contract
Summary
The VestingEscrowFactory lacks input validation for the vestingStart parameter in deployVestingContract() which is responsible for deploying escrow contracts. The lack of a check on vestingStart may lead to an overestimation of vested and locked token amounts, impacting the functionality of various contract methods.
if a value from the past is mistakenly passed when deploying an escrow, _totalVestedAt() on the escrow contract could overstate the amount of tokens vested.
This overstatement would affect the value returned in the unclaimed() function, allowing users to claim more tokens than they should before the intended vesting period.
function revokeAll() external onlyOwner {
if (!isFullyRevokable) revert NOT_FULLY_REVOKABLE();
if (isFullyRevoked) revert ALREADY_FULLY_REVOKED();
uint256 revokable = locked() + unclaimed();
if (revokable == 0) revert NOTHING_TO_REVOKE();
isFullyRevoked = true;
disabledAt = uint40(block.timestamp);
token().safeTransfer(_owner(), revokable);
emit VestingFullyRevoked(msg.sender, revokable);
}
Additionally, the locked() function would understate the amount intended to be locked.
This understatement affects the calculation of the revokable amount in revokeUnvested() and revokeAll(), potentially limiting the ability of the Owner or Manager to revoke tokens correctly or disabling the revocation functionality entirely via revert.
Impact
Incorrect startTime may overstate vested amounts and enable early claiming and limit the ability of the owner or manager to revoke tokens
Code Snippet
See above.
Tool used
Manual Review
Recommendation
Implement a validation check for the startTime parameter in the VestingEscrowFactory contract. This check should ensure that startTime is greater than the current block timestamp.
0xk3y
medium
Inadequate Validation of
startTime
parameter in VestingEscrowFactory ContractSummary
The VestingEscrowFactory lacks input validation for the
vestingStart
parameter indeployVestingContract()
which is responsible for deploying escrow contracts. The lack of a check on vestingStart may lead to an overestimation of vested and locked token amounts, impacting the functionality of various contract methods.Vulnerability Detail
VestingEscrowFactory.sol L51-69
VestingEscrow.sol L275
if a value from the past is mistakenly passed when deploying an escrow,
_totalVestedAt()
on the escrow contract could overstate the amount of tokens vested.VestingEscrow.sol L123
VestingEscrow.sol L137
This overstatement would affect the value returned in the
unclaimed()
function, allowing users to claim more tokens than they should before the intended vesting period.VestingEscrow.sol L127
VestingEscrow.sol L167
VestingEscrow.sol L181
Additionally, the
locked()
function would understate the amount intended to be locked. This understatement affects the calculation of the revokable amount inrevokeUnvested()
andrevokeAll()
, potentially limiting the ability of the Owner or Manager to revoke tokens correctly or disabling the revocation functionality entirely via revert.Impact
Incorrect startTime may overstate vested amounts and enable early claiming and limit the ability of the owner or manager to revoke tokens
Code Snippet
See above.
Tool used
Manual Review
Recommendation
Implement a validation check for the startTime parameter in the VestingEscrowFactory contract. This check should ensure that startTime is greater than the current block timestamp.
Duplicate of #101