Mozik Manual Review Findings

MOZ-01M: Improper Configuration Sanitization

Description:

The Mozik contract improperly sanitizes the configurational values that are meant to be assigned to the AdvanceVesting and BaseVesting contract implementations.

Example:

Copy
17require(token_ != address(0), "Invalid reward token address");
18require(startDate_ != 0, "TGE timestamp can't be 0");
19require(
20    vestingDuration_ > 0 && tgePercentage_ > 0,
21    "The vesting duration and tgePercentage cannot be 0"
22);
23require(
24    totalAllocatedAmount_ != 0,
25    "The number of tokens for distribution cannot be 0"
26);

Recommendation:

We advise additional checks to be imposed, such as the tgePercentage to be less than the maximum percentage, the amount unlocked between firstRelease and vestingTimeEnd to be below the total percentage when added to the LGE and other similar logic checks.

Alleviation:

The configurational values of AdvanceVesting are now assigned by the contract's constructor instead of being done so on the contract level. Additionally, the AdvanceVesting constructor as well as inherited BaseVesting implementation apply the necessary sanitization checks in their respective constructor functions thus alleviating this exhibit.