Precision Loss in Vesting Calculation Leads to Unclaimable Tokens
Summary
The _calculateReleasableAmount() function uses integer division to compute vested amounts. Since Solidity rounds down when performing division, this results in minor precision loss over time, leading to a scenario where beneficiaries might be unable to claim their full vested entitlement.
Vulnerability Details
The _calculateReleasableAmount() function determines how many tokens have vested based on time elapsed:
Solidity’s integer division rounds down fractional values.
If
totalAmountis not perfectly divisible byduration, a small portion of tokens will never be claimable, since each claim slightly underestimates the vested amount.The issue compounds over multiple claims, leading to unallocated tokens remaining in the contract after the vesting period ends.
Impact
Loss of Tokens for Beneficiaries: Due to rounding down, the total claimable amount may be slightly less than the intended total vesting allocation.
Locked Tokens in Contract: Small amounts of unclaimed tokens may remain trapped in the contract, making them inaccessible to beneficiaries.
Tools Used
Manual Code Review
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.