Description

Vesting is the process of locking tokens for a certain interval of time, after which the tokens are returned with rewards. The function _updateVesting, that is called to update vesting states burns esToken, which represent the users locked tokens, from the account. This is incorrect as locked esTokens are transferred to the Vesting contract when deposited.

function _updateVesting(address _account) private {
	uint256 amount = _getNextClaimableAmount(_account);
	lastVestingTimes[_account] = block.timestamp;

	if (amount == 0) {
		return;
	}

	// transfer claimableAmount from balances to cumulativeClaimAmounts
	_burn(_account, amount);
	cumulativeClaimAmounts[_account] = cumulativeClaimAmounts[_account] + amount;

	IRestrictedToken(esToken).burn(_account, amount);
}

Impact

If a user deposits more than half of their esToken, they cannot claim or withdraw more tokens without acquiring more esToken as it will revert due to the lack of tokens during the burn.

If the user has enough tokens to be burned (not deposited tokens), every time _updateVesting is called, their esTokens will be burned, receiving no tokens in return.

Recommendations

Correct the logic to burn tokens from the Vester contract and not from the user.

Remediation

This issue has been acknowledged by GammaSwap, and a fix was implemented in commit a3672730↗.