coinsPerSecond is totalCoins(in token's decimals) divided by the length of vesting period in seconds. For low decimal token such as USDC, coinsPerSecond might have significant precision loss that will make user received less than the amount entitled.
illuzen
commented
2 years ago
Lines of code
https://github.com/code-423n4/2022-05-factorydao/blob/db415804c06143d8af6880bc4cda7222e5463c0e/contracts/MerkleVesting.sol#L117-L118
Vulnerability details
Impact
coinsPerSecondis totalCoins(in token's decimals) divided by the length of vesting period in seconds. For low decimal token such as USDC,coinsPerSecondmight have significant precision loss that will make user received less than the amount entitled.Proof of Concept
https://github.com/code-423n4/2022-05-factorydao/blob/db415804c06143d8af6880bc4cda7222e5463c0e/contracts/MerkleVesting.sol#L117-L118
For example if 0.01 WBTC is vested over 1 year coinsPerSecond = 0.01 10e8 / (36586400) = 0 which the user will not be able to claim any of the balance
Recommended Mitigation Steps
Multiply
coinsPerSecondby for example 10e18