Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Precision Loss in Vesting Calculation Leads to Unclaimable Tokens

abhan

Summary

The _calculateReleasableAmount() function uses integer division to compute vested amounts. Since Solidity rounds down when performing division, this results in minor precision loss over time, leading to a scenario where beneficiaries might be unable to claim their full vested entitlement.

Vulnerability Details

The _calculateReleasableAmount() function determines how many tokens have vested based on time elapsed:

uint256 vestedAmount = (schedule.totalAmount * timeFromStart) / schedule.duration; return vestedAmount - schedule.releasedAmount;

  • Solidity’s integer division rounds down fractional values.

  • If totalAmount is not perfectly divisible by duration, a small portion of tokens will never be claimable, since each claim slightly underestimates the vested amount.

  • The issue compounds over multiple claims, leading to unallocated tokens remaining in the contract after the vesting period ends.

Impact

  • Loss of Tokens for Beneficiaries: Due to rounding down, the total claimable amount may be slightly less than the intended total vesting allocation.

  • Locked Tokens in Contract: Small amounts of unclaimed tokens may remain trapped in the contract, making them inaccessible to beneficiaries.

Tools Used

Manual Code Review

Updates

Lead Judging Commences

inallhonesty Lead Judge 6 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.