Description

Calculating the amount of vested tokens is based on the time elapsed since the vestingStartTime and the current vesting rate. The calculation of the amount of unlocked tokens is similar.

function getVestedTokenAmount() public view returns (uint256) {
    if(block.timestamp<allocation.vestingStartTime)
        return 0;
    uint256 _timeElapsedSinceVest = block.timestamp - allocation.vestingStartTime;
    if(terminated)
        _timeElapsedSinceVest = terminationTime - allocation.vestingStartTime;

        uint256 _tokensVested = (_timeElapsedSinceVest * allocation.vestingRate) + allocation.vestingCliffCredit;

    // [...]
}

However, the authority can update the vestingRate. If the vesting rate changes, the amount of previously accumulated vested tokens will also change. Because according to the formula, the amount of tokens vested before the rate update will be recalculated using the new rate.

Impact

An update to the vesting rate may cause a sharp change in _tokensVested, impacting the accounting in other parts of the contract. For example, if the initial rate is r0 and the rate increases to r1 at time t1, then the vested amount (ignoring cliff credit) will change from r0 * t1 to r1 * t1. In the following diagram, this means changing from the black solid line to the green dashed line above it.

Recommendations

An intuitive approach is to record the last update time as well as the vested or unlocked tokens. In this way, each time period can be calculated using the corresponding rate.

Remediation