Skip to content

Add validation for withdrawal and refund delays in KeepWhatsRaised contract (OZ-15)#20

Merged
mahabubAlahi merged 2 commits intooz-audit-fixesfrom
oz-fix-issue-15
Mar 19, 2026
Merged

Add validation for withdrawal and refund delays in KeepWhatsRaised contract (OZ-15)#20
mahabubAlahi merged 2 commits intooz-audit-fixesfrom
oz-fix-issue-15

Conversation

@mahabubAlahi
Copy link
Collaborator

@mahabubAlahi mahabubAlahi commented Feb 23, 2026

  • Introduced a new error to revert transactions when withdrawalDelay is less than refundDelay, ensuring claimFund can only be called after the refund window ends.
  • Updated the configuration documentation to reflect this new requirement for withdrawal and refund delays.

@mahabubAlahi
Add validation for withdrawal and refund delays in KeepWhatsRaised co…
6740e27 
…ntract

- Introduced a new error to revert transactions when withdrawalDelay is less than refundDelay, ensuring claimFund can only be called after the refund window ends.
- Updated the configuration documentation to reflect this new requirement for withdrawal and refund delays.
@mahabubAlahi mahabubAlahi changed the base branch from main to oz-audit-fixes March 3, 2026 08:25
@mahabubAlahi mahabubAlahi self-assigned this Mar 3, 2026
@mahabubAlahi mahabubAlahi added the enhancement New feature or request label Mar 3, 2026
@rayedsikder rayedsikder deleted the branch oz-audit-fixes March 13, 2026 16:07
@rayedsikder rayedsikder reopened this Mar 18, 2026
@mahabubAlahi mahabubAlahi changed the title Add validation for withdrawal and refund delays in KeepWhatsRaised contract Add validation for withdrawal and refund delays in KeepWhatsRaised contract (OZ-15) Mar 19, 2026
@mahabubAlahi mahabubAlahi merged commit 4e7e6ca into oz-audit-fixes Mar 19, 2026
@mahabubAlahi mahabubAlahi deleted the oz-fix-issue-15 branch March 19, 2026 07:54
chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Mar 19, 2026
View reviewed changes
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 1a7e7e48ef

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

src/treasuries/KeepWhatsRaised.sol
Comment on lines +534 to +535
if (config.withdrawalDelay < config.refundDelay) {
revert KeepWhatsRaisedWithdrawalBeforeRefundEnd(config.withdrawalDelay, config.refundDelay);
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot Mar 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Allow withdrawalDelay to be shorter than refundDelay

In the non-cancelled flow, withdraw() becomes a full-balance withdrawal as soon as block.timestamp > getDeadline() and remains callable until deadline + s_config.withdrawalDelay (src/treasuries/KeepWhatsRaised.sol, withdraw, lines 873-899), while claimRefund() stays open until deadline + s_config.refundDelay and reverts once s_availablePerToken has been drained (lines 977-990). This new check removes the only way to configure withdrawals to stop before refunds do, so every future deployment must keep final withdrawals open for the entire refund window, letting an approved owner/admin empty the treasury before backers finish refunding.

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

@adnanhq adnanhq adnanhq approved these changes

@rayedsikder rayedsikder Awaiting requested review from rayedsikder

Assignees

@mahabubAlahi mahabubAlahi

Labels

enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mahabubAlahi @adnanhq @rayedsikder