⬆️Vulnerability of Incorrect Linear Vesting Calculations

The vulnerability arises when the formula used to calculate the vested amount does not properly account for the time that has passed in relation to the total vesting duration. Inaccurate formulas result in under-vesting, where users are not able to claim the correct portion of their tokens even though the intended linear vesting schedule would allow for it.

How the Vulnerability Happens

In a linear vesting contract, the amount of tokens a user can claim should increase proportionally to the time that has passed. For example, if the vesting duration is 100 seconds, and 50 seconds have passed, the user should be able to claim 50% of their tokens.

However, an incorrect formula like the one below can lead to inaccurate vesting calculations:

uint256 vestedAmount = (userTotalAmount * (block.timestamp - start)) / vestingDuration;

While this formula seems to calculate the correct amount of vested tokens, it can lead to inaccuracies if it does not properly account for tokens already claimed. As a result, the user might be able to claim less than they are entitled to.

Proof of Concept: Example of Incorrect Vesting Calculation

Let’s say a user has 10,000 tokens with a vesting duration of 100 seconds. After 50 seconds, the user should be able to claim 5,000 tokens. However, with an incorrect formula, the user might claim only 4,500 tokens or an incorrect amount.

In this example, after another 10 seconds (60 seconds total), the user should be able to claim an additional 1,000 tokens (10% of the total). However, the contract’s current calculation may only allow them to claim an additional 500 tokens, leading to an under-distribution of tokens.

This incorrect calculation stems from not properly considering the tokens that have already been claimed when calculating the additional amount to be released.

---

Mitigation: Fixing the Linear Vesting Formula

To ensure that the correct amount of tokens is vested over time, the formula needs to account for the total tokens vested and subtract the tokens already claimed by the user.

Correct Formula for Linear Vesting

The correct formula for calculating the vested amount should consider the proportion of time passed and subtract the amount the user has already claimed. This ensures that users receive their tokens progressively in a linear fashion, as expected.

Here’s how to implement the correct formula:

function vestedAmount(address _beneficiary) public view returns (uint256) {
    uint256 totalVested = (userTotalAmount * (block.timestamp - start)) / vestingDuration;
    uint256 amountToClaim = totalVested - userClaimedAmount[_beneficiary];
    return amountToClaim;
}

In this implementation:

• userTotalAmount represents the total amount of tokens the user is entitled to.

• block.timestamp - start represents the amount of time that has passed since the vesting period began.

• vestingDuration is the total duration of the vesting schedule.

• userClaimedAmount[_beneficiary] tracks the amount the user has already claimed, ensuring the correct remaining amount is calculated.

Conclusion

Incorrect vesting calculations in linear vesting contracts can lead to significant under-distribution of tokens, where users are unable to claim the correct amount of tokens based on the time passed. This can lead to frustration for users and even legal or reputational risks for projects.

To prevent this issue, always ensure that your linear vesting contracts:

1. Properly account for the time passed since the start of the vesting period.

2. Subtract the amount of tokens already claimed by the user.

3. Allow users to progressively claim their tokens based on the correct vesting schedule.

By using the correct formula, you can ensure that tokens are vested and distributed fairly and accurately, aligning with the intended token distribution schedule.

4o