fundrequest / vesting-wallets Goto Github PK

VestingWallet#registerVestingSchedule registers the vesting schedule and
assumes the _depositor will transfer tokens to vest. If this second implied transaction
does not occur or it transfers fewer tokens than the vesting schedule defines, some token
recipients will be unable to withdraw funds.

Impact: Potential loss of funds

Feasibility: High, can occur due to poor internal communication.

Mitigation: Redesign this into an approval flow where a vesting schedule does not become
valid/active until a corresponding deposit is made (or there already exists an appropriate
deposit).

There are no guards to prevent the _percentage argument from exceeding 100%. A
mistake or typo by the contract owner will not be caught, and will allocate more tokens than
intended. As a result, the recipient of the created schedule will be able to withdraw more
tokens than intended or allotted. Other vesting recipients may be unable to withdraw tokens
as a result.

Impact: Potential loss of funds

Feasibility: High, can occur with simple typo.

Mitigation: Add require(_percentage <= 100); between lines 98 and 99 in
VestingWallet#registerVestingScheduleWithPercentage

The devDependency solium was updated from 1.1.9 to 1.1.10.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

solium is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.

Your Greenkeeper Bot 🌴

Synopsis: When registering a vesting schedule and subsequently performing a
corresponding deposit, funds that are deposited over the sum of all existing vesting
schedules become inaccessible. Recovering those funds requires a new vesting schedule
for the extraneous amount to be created then calling VestingWallet#endVesting to
recover the funds.

Impact: Temporary locking of funds with reconciliation workflow possibly leading to
additional user input mistakes.

Feasibility: High, can occur with simple typo.

Mitigation: Implement a method that explicitly balances the deposit amount to match the
sum of all vesting schedules, refunding the remainder to the owner of the vesting wallet in
order to reduce the complexity of recovering from over-deposit and mitigate further mistakes.
This audit

The devDependency ganache-cli was updated from 6.1.8 to 6.2.0.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

ganache-cli is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.

Your Greenkeeper Bot 🌴