In this contract, the instantiate() function is use to instantiate the vesting contract. This function take in the Config struct and save it to the storage of the contract.
The Config struct consist of recipient, _is_multi_batchenabled, denom, and _unboundingduration. Now the values in InstantiateMsg is use for the construction of this Config struct which is save to storage. Among the values in the Config struct, The recipient address which is the recipient of all funds locked in this contract lack a validation check on the existence of the provided recipient address. Without this validation, an incorrect or non-existent address mistakenly entered could lead to lock of fund in this contract as claims locked in each batch is been transferred only to the recipient.
The contract should validate the authenticity of recipient as wrong address become immutable after deployment/instantiation and additionally this contract does not have a function to change the recipient address which could render the contract unusable if the proper address is not passed in.
Recommendation:
It is advise to implement a comprehensive validation for the address within the instantiate function. This should check to confirm the validity and existence of the provided recipient address
skinneomeje
Medium
Lack of validation of recipient address could lead to lock of funds in andromeda-vesting contract
https://github.com/sherlock-audit/2024-05-andromeda-ado/blob/main/andromeda-core/contracts/finance/andromeda-vesting/src/contract.rs#L34-L50
In this contract, the instantiate() function is use to instantiate the vesting contract. This function take in the Config struct and save it to the storage of the contract. The Config struct consist of recipient, _is_multi_batchenabled, denom, and _unboundingduration. Now the values in InstantiateMsg is use for the construction of this Config struct which is save to storage. Among the values in the Config struct, The recipient address which is the recipient of all funds locked in this contract lack a validation check on the existence of the provided recipient address. Without this validation, an incorrect or non-existent address mistakenly entered could lead to lock of fund in this contract as claims locked in each batch is been transferred only to the recipient. The contract should validate the authenticity of recipient as wrong address become immutable after deployment/instantiation and additionally this contract does not have a function to change the recipient address which could render the contract unusable if the proper address is not passed in.
Recommendation: It is advise to implement a comprehensive validation for the address within the instantiate function. This should check to confirm the validity and existence of the provided recipient address