Omniscia Sheesha Finance Audit
DeFire Manual Review Findings
DeFire Manual Review Findings
DFE-01M: Improper Configuration Sanitization
Type | Severity | Location |
---|---|---|
Input Sanitization | Minor | DeFire.sol:L9-L38 |
Description:
The DeFire
contract improperly sanitizes the configurational values that are meant to be assigned to the AdvanceVesting
and BaseVesting
contract implementations.
Example:
17require(token_ != address(0), "Invalid reward token address");18require(startDate_ != 0, "TGE timestamp can't be 0");19require(20 vestingDuration_ > 0 && cliffDuration_ > 0,21 "The vesting and cliff duration cannot be 0"22);23require(24 totalAllocatedAmount_ > 0,25 "The number of tokens for distribution cannot be 0"26);
Recommendation:
We advise additional checks to be imposed, such as the tgePercentage
to be less than the maximum percentage, the amount unlocked between firstRelease
and vestingTimeEnd
to be below the total percentage when added to the LGE and other similar logic checks.
Alleviation:
The configurational values of AdvanceVesting
are now assigned by the contract's constructor
instead of being done so on the contract level. Additionally, the AdvanceVesting
constructor as well as inherited BaseVesting
implementation apply the necessary sanitization checks in their respective constructor
functions thus alleviating this exhibit.
DFE-02M: Improper AdvanceVesting
Inheritence
Type | Severity | Location |
---|---|---|
Logical Fault | Informational | DeFire.sol:L6, L16 |
Description:
THe DeFire
contract inherits from the AdvanceVesting
contract but does not set the tgePercentage
value.
Example:
9constructor(10 address signer_,11 address token_,12 uint256 startDate_,13 uint256 cliffDuration_,14 uint256 vestingDuration_,15 uint256 totalAllocatedAmount_16) AdvanceVesting(signer_) {17 require(token_ != address(0), "Invalid reward token address");18 require(startDate_ != 0, "TGE timestamp can't be 0");19 require(20 vestingDuration_ > 0 && cliffDuration_ > 0,21 "The vesting and cliff duration cannot be 0"22 );23 require(24 totalAllocatedAmount_ > 0,25 "The number of tokens for distribution cannot be 0"26 );27 token = IERC20(token_);28 startDate = startDate_;29 cliffDuration = cliffDuration_;30 vestingDuration = vestingDuration_;31 firstRelease = startDate.add(cliffDuration_);32 vestingTimeEnd = startDate.add(cliffDuration_).add(vestingDuration_);33 periods = vestingDuration_.div(PERIOD);34 everyDayReleasePercentage = PERCENTAGE.div(periods);35 totalAllocatedAmount = totalAllocatedAmount_;36 tokensForNative = totalAllocatedAmount_.div(3);37 tokensForLP = totalAllocatedAmount_.sub(tokensForNative);38}
Recommendation:
We advise whether this is intended is validated as a specified cliff duration with a zero amount of TGE unlocked is illogical.
Alleviation:
The team stated that the current structure is desired for the specification of a cliff period. We noted that a cliff period with a zero amount unlocked is equivalent to setting the start period in the future, however, the team desired to retain the codebase as is.