UniformlyProvidedVestingFacetStorage Manual Review Findings

UPF-01M: Inexistent Restriction of Cliff Updates

Type	Severity	Location
Input Sanitization		UniformlyProvidedVestingFacetStorage.sol:L227-L239

Description:

The UniformlyProvidedVestingFacetStorage::updateCliff function does not impose any restrictions on how often the cliff can be updated, the length for which it can be updated for, or the time at which the cliff is extended.

Impact:

As the input sanitization for the newCliffTimestamp is rudimentary, it is possible to perpetually extend the cliff of a particular campaign's vesting process.

Example:

Copy
227function updateCliff(Layout storage l, uint256 campaignId, uint256 newCliffTimestamp, address account) internal returns (uint256) {
228    if (account != GeneralStorage.layout().infoForId[campaignId].creator) revert NonCreator(campaignId, account);
229
230    CampaignVestingDetails storage campaignVestingDetails = l.campaignVestingDetails[campaignId];
231
232    if (newCliffTimestamp < block.timestamp || block.timestamp >= campaignVestingDetails.cliffTimestamp)
233        revert InvalidCliffUpdate(campaignId, campaignVestingDetails.cliffTimestamp, newCliffTimestamp);
234
235    campaignVestingDetails.cliffTimestamp = newCliffTimestamp;
236    campaignVestingDetails.vestingEndingTimestamp = newCliffTimestamp + campaignVestingDetails.totalVestingPeriod;
237
238    return campaignVestingDetails.vestingEndingTimestamp;
239}

Recommendation:

We advise the code to impose several restrictions so as to avoid a malicious creator perpetually updating a campaign's cliff maliciously.

Alleviation (d682057ecb):

A propose-and-approve mechanism has been introduced to the codebase in place of the original adjustment function, permitting a campaign's creator to propose a timestamp change that can be approved by an administrative member of the Nexera team.

A flaw in the current implementation is the fact that a creator can detect an approval operation pending and adjust the proposed timestamp at the last second, effectively permitting them to extend the timestamp to any value they wish "bypassing" the approval of the Nexera team.

We advise a control variable to be introduced to the approve / reject function flows, permitting the administrator to provide the timestamp they are approving and rejecting the proposal if there is a mismatch.

Alleviation (1de30b88ac):

The approval and rejection mechanisms have been updated to include a timestamp control variable, addressing the previous concern and thus alleviating this exhibit in full.