Hi Team, I found out a potential vulnerability in the code during manual checking of the smart contract in which the loss of tokens can occur during calculation of vesting period by the means of arithmetic underflow flaw.
The key details of this potential vulnerability are given below:
During the manual analysis of the code, I found out from line 91-112, '_calculate_vested_amount::instant_release' and '_calculate_vested_amount::linear_vesting' results in miscalculation of tokens in the vested duration leads to loss of tokens and impacting the overall trust of users on the smart contract. For eg:
If the total amount of tokens are 101, then the calculation should be:
instant_release = (101 * 31) // 100 = 31
linear_vesting = (101 * 69) // 100 = 69
Total = 31+69=100
which results in 1 token loss and further miscalculation in 'vested' component and vesting duration is deriving 'linear_vesting' component in it.
Code:
Users can't be able to claim their vested allocation, leads to token loss scenario.
Loss of trust among users for the project due to arithmetic logical error in the code.
Manual Analysis
Avoid the arithmetic error by defining one component i.e. 'instant_release' and deriving the other i.e. 'linear_vesting'.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.