nevillehuang
commented
9 months ago Invalid, it is users self responsibility to ensure they can still claim vested token when revoking is disabled by admin.
Closed sherlock-admin closed 9 months ago
nevillehuang
commented
9 months ago Invalid, it is users self responsibility to ensure they can still claim vested token when revoking is disabled by admin.
sonny2k
high
There is no way to recover unclaimed vesting from recipient if the recipient lost their access to account and isFullyRevokable = false
Summary
If isFullyRevokable = false and the recipient can't claim the unclaimed vesting, the owner has no way to rescue this fund
Vulnerability Detail
There is no function to recover these unclaimed funds
Impact
Lost of funds for the recipient
Code Snippet
https://github.com/sherlock-audit/2024-01-rio-vesting-escrow/blob/main/rio-vesting-escrow/src/VestingEscrow.sol#L177
As you can see revokeAll() can rescue the fund if isFullyRevokable = false
Tool used
Manual Review
Recommendation
Implement a function:
recoverUnclaimed(address beneficiary, uint256 amount) external onlyOwnerwith the cooldown of 14 days after the vesting end and only owner can call this function. So that the owner can rescue the fund without confusing the recipient