Vesting Duration Includes Cliff Period
Summary
The vesting calculation incorrectly includes the cliff period in the vesting duration. Tokens start vesting after the cliff, but the code counts time from startTime instead of startTime + VESTING_CLIFF.
Impact
Beneficiaries receive tokens faster than intended. For example, with a 90-day cliff and 700-day duration, tokens vest over 790 days (cliff + duration) instead of 700 days post-cliff.
Vulnerability Details
The timeFromStart is calculated as block.timestamp - schedule.startTime, which includes the cliff period. The correct calculation should start from startTime + VESTING_CLIFF.
Explain in relevant detail using numbers and creating scenarios demonstrating the impact
startTime = 0,VESTING_CLIFF = 90 days,VESTING_DURATION = 700 days.At day 180 (90 days post-cliff), the code calculates vested tokens as
180/700 ≈ 25.7%.Correct vested amount should be
90/700 ≈ 12.85%, doubling the release rate.
Recommendations
Adjust timeFromStart to exclude the cliff:
Lead Judging Commences
RAACReleaseOrchestrator vesting calculation includes cliff period in duration, doubling token release rate after cliff ends
RAACReleaseOrchestrator vesting calculation includes cliff period in duration, doubling token release rate after cliff ends
Appeal created
RAACReleaseOrchestrator vesting calculation includes cliff period in duration, doubling token release rate after cliff ends
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.