Omniscia Pareto Audit

ParetoVesting Manual Review Findings

PVG-01M: Insecure Casting of Amounts

Type	Severity	Location
Logical Fault		ParetoVesting.sol:L138

Description:

The ParetoVesting::constructor will not validate that the amount of each allocation fits within the uint128 data type, permitting casting overflows to occur.

Impact:

An incorrect schedule that resulted in an overflow will be inoperable and will incorrectly skew the token recovery mechanism of the system.

Example:

src/vesting/ParetoVesting.sol

130for (uint256 i = 0; i < allocations.length; ++i) {
131  address beneficiary = allocations[i].beneficiary;
132  uint256 amount = allocations[i].amount;
133
134  if (beneficiary == address(0)) revert VestingZeroAddress();
135  if (amount == 0) revert VestingZeroAllocation();
136  if (_schedules[beneficiary].totalAllocated != 0) revert VestingDuplicateBeneficiary();
137
138  _schedules[beneficiary] = Schedule({totalAllocated: uint128(amount), totalClaimed: 0});
139
140  allocated += amount;
141}
142totalAllocated = allocated;

Recommendation:

We advise the code to ensure each cast is performed safely either through a helper library or by validating that the amount of each entry is less than type(uint128).max.

Alleviation:

The Pareto team clarified that the schedules are defined via a deployment script we will review and that their values can be safely cast into a uint128 variable, rendering this exhibit inapplicable.

Omniscia Pareto Audit

ParetoVesting Manual Review Findings

ParetoVesting Manual Review Findings

PVG-01M: Insecure Casting of Amounts

Description:

Impact:

Example:

Recommendation:

Alleviation:

ParetoSmartWalletChecker.sol (PSW-M)

VeVotesAdapter.sol (VVA-M)

On this page