rdin777/ltgion-newaudit

# LegionProtocol 安全审计（研究版） 🛡️ ## 📊 审计概述 - **框架：** Foundry - **范围：** Vesting、Sales 和核心协议逻辑 - **总测试数：** 595 [通过] ## 🚨 严重发现：损坏的 Epoch Vesting 逻辑 **严重程度：** 严重 **合约：** `LegionLinearEpochVesting.sol` **漏洞类型：** 逻辑错误 / 状态依赖 / 精度损失 ### 📝 描述 `_vestingSchedule` 的实现在计算已归属（vested）金额的方式上存在根本性缺陷。它不是时间的纯函数，而是依赖于可变的状态变量 `s_lastClaimedEpoch`。 ``` if (currentEpoch > s_lastClaimedEpoch) { amountVested = ((currentEpoch - 1) * _totalAllocation) / s_numberOfEpochs; } 💥 Impact Double-Claim Denial: If a user or a bot calls release() twice within the same epoch, the second call returns amountVested = 0, potentially locking legitimate funds. Precision Loss (Dust): The use of a fixed 1e18 denominator (from Constants.sol) without scaling for low-decimal tokens (e.g., USDC, USDT) leads to permanent rounding errors where the "dust" remains stuck in the contract forever. 🛠️ Proof of Concept (PoC) To run the reproduction test: Bash forge test --match-path test/poc/LegionEpochBreaker.t.sol -vvvv 🛠️ How to Run Tests Clone the repo: Bash git clone [https://github.com/rdin777/ltgion-newaudit.git](https://github.com/rdin777/ltgion-newaudit.git) cd ltgion-newaudit Install dependencies: Bash forge install Run full suite: Bash forge test 👨‍💻 Author RimDinov (rdin777) Smart Contract Auditor & Security Researcher ```

标签：DeFi, Foundry, Solidity, 区块链安全, 智能合约审计