5 matches found
CVE-2026-28410
The Graph is an indexing protocol for querying networks like Ethereum, IPFS, Polygon, and other blockchains. Prior to version 3.0.0, a flaw in the token vesting contracts allows users to access tokens that should still be locked according to their vesting schedule. This issue has been patched in...
A malicious manager could revoke grants early and steal unvested tokens.
Lines of code Vulnerability details Impact A malicious manager can: Revoke a grant before its expiration. Take all tokens not yet vested/withdrawn based on the vesting schedule. Deprive the grant owner of tokens they should have later received if vesting continued. Proof of Concept A The...
Can overflow linear vest calculation and lock up funds
Lines of code Vulnerability details Impact If a Claim object for a user has a large enough vesting time and/or linear vesting amount, then that object can get into a state such that the calculations in baseVestedAmount overflow. If the baseVestedAmount calculations overflow, then the associated...
Linear vesting logic is incorrect for subsequent withdrawals
Lines of code Vulnerability details Impact After attempting a withdrawal, StakedCitadelVester.sol vest is called, creating a 21 day vesting schedule for the user to claim their withdrawed amount. This logic works perfectly for the first withdrawal, but will be incorrect for every subsequent...
Vested NFT not always minted
Handle cmichel Vulnerability details The FSDVesting.claimVestedTokens function tokenizes the conviction only if the current claimed amount tokenClaim equals the total vested amount amount. // tokenClaim is vestedAmount - totalClaimed uint256 tokenClaim = calculateVestingClaim; if amount ==...