Vesting schedule can be created with insufficient available token balance in the contract
Summary
Vesting schedule can be created without ensuring that the token balance of the contract can afford the vesting schedule. This can cause failure of claim for the beneficiary when the time is ripe for beneficiaries to claim the token.
Vulnerability Details
The createVestingSchedulefunction in RAACReleaseOrchestrator.soldoes not check that the amount of token for the new vesting schedule can be afforded by the contract.
Impact
If there are some vesting schedule claimable amount that is greater than the current token balance of the contract, the beneficiaries cannot claim the token through the release function as the transaction will revert because of insufficient token balance. This is especially problematic if there are multiple vesting schedule that start at the same time considering all of the schedules duration use the same constant VESTING_DURATION variable (700 days).
Tools Used
Manual review
Recommendations
Check in the createVestingSchedulefunction if the current contract token balance can afford the vesting schedule amount by checking the current contract token balance subtracted by all existing vesting schedule amount.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.