Skip to content

Add_Withdrawal_Address_Whitelisting_for_Beneficiaries#182

Merged
JerryIdoko merged 1 commit intoVesting-Vault:mainfrom
shamoo53:Add_Withdrawal_Address_Whitelisting_for_Beneficiaries
Mar 27, 2026
Merged

Add_Withdrawal_Address_Whitelisting_for_Beneficiaries#182
JerryIdoko merged 1 commit intoVesting-Vault:mainfrom
shamoo53:Add_Withdrawal_Address_Whitelisting_for_Beneficiaries

Conversation

@shamoo53
Copy link
Copy Markdown
Contributor

@shamoo53 shamoo53 commented Mar 27, 2026

🚀 PR: Add Withdrawal Address Whitelisting for Beneficiaries

🧭 Overview

This PR introduces a withdrawal address whitelisting mechanism for beneficiaries, enhancing security by ensuring vested tokens can only be claimed to a pre-approved address. It includes a 48-hour timelock for updates, adding an extra layer of protection against phishing and wallet compromise.

🎯 Problem

Currently, if a beneficiary’s wallet is compromised:

  • Attackers can redirect withdrawals to malicious addresses
  • There is no restriction on payout destinations
  • Long-term vested funds are at risk

This creates a critical vulnerability, especially for high-value vesting contracts.

💡 Solution

  • Introduce a whitelisted payout address for each beneficiary
  • Add a set_authorized_payout_address function
  • Enforce a 48-hour timelock before changes take effect
  • Restrict withdrawals strictly to the authorized address

This creates a multi-layer defense system against unauthorized withdrawals.

🛠 Scope of Work

🔐 Address Whitelisting

  • Implemented storage for authorized payout address per beneficiary
  • Enforced validation so withdrawals can only be sent to this address

⏳ Timelocked Updates

  • Added set_authorized_payout_address function
  • Introduced a 48-hour delay before a new address becomes active
  • Prevents instant redirection by attackers

🛡 Security Enhancements

  • Protects against phishing and wallet compromise scenarios
  • Ensures attackers cannot redirect funds even with temporary access

⚙️ Contract Logic Updates

  • Updated withdrawal logic to enforce address checks
  • Added safeguards for pending address updates

📊 Acceptance Criteria

  • ✔️ Beneficiaries can set an authorized payout address
  • ✔️ Withdrawals are restricted to the whitelisted address
  • ✔️ Address updates are subject to a 48-hour timelock
  • ✔️ Unauthorized addresses cannot receive funds
  • ✔️ Existing vesting logic remains unaffected

🧪 Testing

  • Tested setting and updating payout address
  • Verified timelock enforcement before activation
  • Ensured withdrawals fail for non-whitelisted addresses
  • Simulated compromised wallet scenarios

📚 Notes

  • Designed for long-term asset security in vesting contracts
  • Encourages use of hardware wallets for payout addresses
  • Can be extended with multi-signature or recovery mechanisms in future

🏁 Summary

This PR significantly strengthens the Vesting Vault by introducing secure, timelocked withdrawal address controls, protecting beneficiaries from phishing attacks and unauthorized fund redirection.
CLoses #135
Closes #134
Closes #136
Closes #133

@shamoo53
Add_Withdrawal_Address_Whitelisting_for_Beneficiaries
ae4e789 
Add_Withdrawal_Address_Whitelisting_for_Beneficiaries
@drips-wave
Copy link
Copy Markdown

drips-wave bot commented Mar 27, 2026

@shamoo53 Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits

@JerryIdoko JerryIdoko merged commit f81d8e8 into Vesting-Vault:main Mar 27, 2026
1 check failed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

2 participants

@shamoo53 @JerryIdoko