The Graph Token Vesting Contract Flaw Allows Early Access to Locked Tokens

A vulnerability in The Graph's token vesting contracts, present in versions through 2.0.0, allows users to access tokens that should remain locked according to their vesting schedule. The issue arises because the contracts incorrectly tracked token usage in relation to vested amounts, creating a loophole. Users could withdraw vested tokens, use them in the protocol, and then withdraw the same amount again, effectively 'double-spending' their tokens. This flaw disrupted the vesting contract's accounting, complicating token revocation processes.

Impact

Exploitation of this vulnerability enabled users to 'double-spend' their vested tokens by withdrawing them and subsequently using them within The Graph protocol, such as for staking or delegation. This exploitation disrupted the vesting contract's accounting, causing revocation attempts to fail due to insufficient tokens remaining in the contract.

Reproduction

To reproduce this vulnerability, a user can first release and withdraw their vested tokens from a revocable vesting contract. After the tokens have been withdrawn, the user can use the same amount in The Graph protocol, for example by staking or delegating. The contract will incorrectly allow this, as it only verifies that the used tokens are less than or equal to the vested amount, without considering tokens that have already been withdrawn.

Remediation

The vulnerability has been patched in The Graph version 3.0.0, which removed the flawed tracking of used tokens and restricted interactions with the protocol to non-revocable vesting contracts.