All rewards will be released at the same time, linear locking has no effect.
Code Snippet
function claim(
uint256 index, // the beneficiary's index in the merkle root
address beneficiary, // the address that will receive tokens
uint256 totalAmount, // the total claimable by this beneficiary
uint256 start, // the start of the vesting period
uint256 cliff, // cliff time
uint256 end, // the end of the vesting period
bytes32[] calldata merkleProof
)
external
validMerkleProof(keccak256(abi.encodePacked(index, beneficiary, totalAmount, start, cliff, end)), merkleProof)
nonReentrant
{
// effects
uint256 claimedAmount = super._executeClaim(beneficiary, totalAmount, new bytes(0));
Drynooo
high
claim parameters have no effect
Summary
In the PerAddressContinuousVestingMerkleDistributor contract, the start, cliff, and end parameters of the claim function have no effect . All tokens will be released together.
Vulnerability Detail
Because in the claim function, the parameter passed in is bytes (0). Therefore, when calculating the release amount, it will be released directly.
Impact
All rewards will be released at the same time, linear locking has no effect.
Code Snippet
Tool used
Manual Review
Recommendation
Duplicate of #51