Category: Coding Mistakes
RestrictedTokenAllocation lacks repurchase deadline check
Medium Severity
Medium Impact
Low Likelihood
Description
Restricted-token allocation allows the authority to repurchase tokens after MetaVesT is terminated.
According to comments in MetaVesTController, the storage variable shortStopDate in RestrictedTokenAllocation should be used to check the repurchase deadline.
/// @param _shortStopTime if token option, vesting stop time and exercise deadline; if restricted token award, lapse stop time and repurchase deadline -- must be <= vestingStopTimeBut the function repurchaseTokens does not implement such a check.
function repurchaseTokens(uint256 _amount) external onlyAuthority nonReentrant {
if(!terminated) revert MetaVesT_NotTerminated();
if (_amount == 0) revert MetaVesT_ZeroAmount();
if (_amount > getAmountRepurchasable()) revert MetaVesT_MoreThanAvailable();
// [...]
}Impact
After MetaVesT is terminated, there is no time limit for the authority to repurchase tokens. For grantees, it may take a long time to claim the full amount paid for the repurchased tokens.
Recommendations
Implement a repurchase deadline check in the function repurchaseTokens.
Remediation
This issue has been acknowledged by MetaLeX Labs, Inc, and a fix was implemented in commit e425c905↗.