Omniscia Bluejay Finance Audit
WhitelistSalePrivate Manual Review Findings
WhitelistSalePrivate Manual Review Findings
PAC-01M: Inexistent Sanitization of Vesting Start
| Type | Severity | Location |
|---|---|---|
| Input Sanitization |  | WhitelistSalePrivate.sol:L157 |
Description:
The _vestingStart variable remains unsanitized when the logic that utilizes it assumes it is less than the current block.timestamp.
Example:
156function setVestingStart(uint256 _vestingStart) public onlyOwner {157 vestingStart = _vestingStart;158}Recommendation:
We advise a require check to be imposed ensuring this condition.
Alleviation:
The code of vestedTokens was updated instead to support a future vestingStart value thus alleviating this exhibit in full.
PAC-02M: Inexistent Price Validation of Purchases
| Type | Severity | Location |
|---|---|---|
| Logical Fault |  | WhitelistSalePrivate.sol:L76, L153 |
Description:
The purchase function does not perform a validation of the total tokens bought and instead utilizes the price variable directly which can change at any moment.
Example:
74function purchase(uint256 amount, address recipient) public override {75 require(!paused, "Paused");76 uint256 tokensBought = (amount * WAD) / price;77 require(quota[msg.sender] >= tokensBought, "Insufficient quota");78
79 quota[msg.sender] -= tokensBought;80 reserve.safeTransferFrom(msg.sender, address(treasury), amount);81 purchased[recipient] += tokensBought;82 totalPurchased += tokensBought;83 require(totalPurchased <= maxPurchasable, "Max purchasable reached");84
85 treasury.mint(address(this), tokensBought);86
87 emit Purchase(msg.sender, recipient, amount, tokensBought);88}Recommendation:
We advise the price to either only be change-able when the contract is paused or an additional argument to be introduced to the purchase call that mandates a minimum amount of tokens bought.
Alleviation:
The setPrice function is now only invoke-able when the contract is paused thereby alleviating this exhibit.