This vulnerability was reported through Immunefi and classified as Medium.

A flaw in the token vesting contracts allows users to access tokens that should still be locked according to their vesting schedule.

The vesting contracts tracked how many tokens were used in The Graph protocol (the usedAmount), but compared this against the wrong value. The check was performed against vestedAmount (tokens that have vested over time) but failed to account for tokens that were already released and withdrawn from the contract.

This created a loophole where users could:

1. First, release and withdraw their vested tokens from the contract
2. Then, use the same amount of tokens in The Graph protocol (for staking or delegating)
3. The contract would incorrectly allow this because it only checked if usedAmount <= vestedAmount, not
   accounting for the tokens already withdrawn

Impact:

• Users could effectively "double-spend" their vested tokens - withdrawing them and using them in the protocol
• This broke the accounting of the vesting contract. If the contract owner tried to revoke the vesting the revocation would fail because there wouldn't be enough tokens left in the contract to transfer back

The fix: The flawed usedAmount tracking was removed entirely and now only non-revocable vesting contracts are
allowed to interact with The Graph protocol.