Missing enforcement of grace period in final vesting claims in `RAACReleaseOrchestrator` contract
Summary
The contract declares a constant GRACE_PERIOD set to 7 days, which is likely intended to delay the final token claim even after the vesting period has fully elapsed. However, the grace period is not implemented in the vesting logic. Specifically, once the vesting duration is over, the contract immediately allows beneficiaries to claim all remaining tokens, bypassing the intended additional delay. This discrepancy between the documented intention and the implemented logic may lead to premature token release, potentially deviating from the intended vesting schedule.
Vulnerability Details
-
Grace Period Declaration:
The contract defines a constant for a 7-day grace period:
uint256 public constant GRACE_PERIOD = 7 days;This constant is expected to introduce an extra delay for final claims after the vesting duration ends.
-
Vesting Release Logic:
In the
_calculateReleasableAmountfunction, the contract computes the releasable tokens as follows:function _calculateReleasableAmount(VestingSchedule memory schedule) internal view returns (uint256) {if (block.timestamp < schedule.startTime + VESTING_CLIFF) return 0;if (block.timestamp < schedule.lastClaimTime + MIN_RELEASE_INTERVAL) return 0;uint256 timeFromStart = block.timestamp - schedule.startTime;if (timeFromStart >= schedule.duration) {return schedule.totalAmount - schedule.releasedAmount;}uint256 vestedAmount = (schedule.totalAmount * timeFromStart) / schedule.duration;return vestedAmount - schedule.releasedAmount;}Expected Behavior: After the vesting duration, the grace period should delay the final release, meaning that even if the vesting period is complete, the beneficiary would need to wait an additional 7 days before claiming any remaining tokens.
Actual Behavior: The condition
if (timeFromStart >= schedule.duration)immediately returns the remaining balance, with no consideration ofGRACE_PERIOD. As a result, beneficiaries can claim all their tokens immediately after the vesting duration elapses, effectively negating the intended grace period.
-
Documentation vs. Implementation Mismatch:
The provided documentation states that a grace period of 7 days is part of the vesting schedule. However, the implementation does not incorporate this delay in any calculation, leading to a discrepancy between the intended vesting mechanics and what is actually executed.
Impact
-
Premature Token Release:
Beneficiaries can claim all remaining tokens immediately after the vesting duration ends. This behavior conflicts with the documented intention of delaying the final claim by 7 days (the grace period), potentially altering the expected token release timeline. -
Inconsistent Vesting Schedule Enforcement:
The omission of the grace period enforcement may cause stakeholders to receive tokens earlier than anticipated, undermining the planned distribution strategy and potentially affecting market behavior or stakeholder expectations.
Proof-of-Concept (POC) Example
Assume:
A beneficiary has a vesting schedule with a total token allocation of
Xtokens.The vesting schedule is defined with a cliff of 90 days and a duration of 700 days.
According to the design, after 700 days, the beneficiary should wait an additional 7 days (grace period) before being eligible to claim the remaining tokens.
Steps:
The beneficiary waits for 700 days.
At
block.timestamp = schedule.startTime + 700 days, the condition in_calculateReleasableAmountis met:if (timeFromStart >= schedule.duration) {return schedule.totalAmount - schedule.releasedAmount;}The function immediately returns the full remaining amount, allowing the beneficiary to claim all tokens without waiting the extra 7 days.
Result:
The intended grace period is bypassed, and the beneficiary can claim tokens immediately after the vesting duration, contrary to the expected behavior documented in the release schedule.
Tools Used
Manual review
Recommendations
Integrate the Grace Period in Vesting Logic:
Modify the
_calculateReleasableAmountfunction to enforce the grace period after the vesting duration has ended. For instance, change the logic to:if (timeFromStart >= schedule.duration) {if (block.timestamp < schedule.startTime + schedule.duration + GRACE_PERIOD) {// Optionally, return 0 or a prorated amount until the grace period elapses.return 0;} else {return schedule.totalAmount - schedule.releasedAmount;}}This ensures that beneficiaries must wait the full vesting duration plus the grace period before claiming any remaining tokens.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.