Rounding Error in Vesting Calculation found in `VestedAirdrop::_calculate_vested_amount` function.
Description: The _calculate_vested_amount function performs integer division operations that can lead to precision loss. Specifically, the calculations (total_amount * 31) // 100 for instant release and (total_amount * 69) // 100 for linear vesting may not sum exactly to total_amount due to rounding errors, resulting in some tokens potentially being locked forever.
Lines 147-148:
Impact: Due to rounding errors in integer division, the sum of instant_release and linear_vesting may be slightly less than total_amount. This discrepancy means that a small portion of tokens might never be claimable, permanently locking them in the contract.
Proof of Concept:
For a total_amount of 100 tokens:
instant_release = (100 * 31) // 100 = 31linear_vesting = (100 * 69) // 100 = 69
This works correctly.
However, for a total_amount of 101 tokens:
instant_release = (101 * 31) // 100 = 31linear_vesting = (101 * 69) // 100 = 69Total: 31 + 69 = 100 (1 token is lost)
Recommended Mitigation: Calculate only one of the portions explicitly and derive the other from the total to ensure no tokens are lost:
Appeal created
Rounding issue in vesting calculation
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.