Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-28410 is a vulnerability in The Graph protocol's token vesting contracts prior to version 3.0.0. The flaw lies in the way the contracts accounted for token usage during vesting. Specifically, a variable called usedAmount was intended to track tokens used within the protocol, but the contracts failed to properly subtract tokens that users had already withdrawn. This allowed users to effectively 'double-spend' their vested tokens by withdrawing them and then reusing the same tokens for staking or delegating within the protocol. Additionally, revocable vesting contracts could forward calls to protocol contracts, which could be misused to access tokens that should still be locked according to the vesting schedule. The vulnerability was fixed by removing the usedAmount tracking and disallowing revocable vesting contracts from forwarding calls to protocol contracts."}] [1, 2]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact users by allowing them to access and use tokens that should still be locked under their vesting schedule. Users could withdraw vested tokens and then reuse the same tokens within The Graph protocol for staking or delegating, effectively bypassing the intended lockup period. This could lead to unauthorized early access to tokens, potential financial loss, and disruption of the token distribution and vesting process. Furthermore, the flaw caused revocation attempts by contract owners to fail due to insufficient tokens remaining in the contract, potentially affecting contract management and security.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability relates to incorrect accounting in token vesting contracts within The Graph protocol, specifically allowing users to access tokens that should still be locked. Detection involves identifying if your deployed contracts are versions prior to 3.0.0 that include the flawed usedAmount tracking and allow revocable vesting contracts to forward calls.

To detect this on your system, you should check the version of the Graph protocol contracts you are running and inspect the GraphTokenLockWallet contract for the presence of the usedAmount variable and the releasableAmount() function.

Suggested commands include:

• Use blockchain contract inspection tools (e.g., etherscan, web3.js, or ethers.js) to verify the contract version deployed.
• Run a script or command to check if the GraphTokenLockWallet contract contains the usedAmount state variable and releasableAmount() function.
• Example using etherscan or web3.js to get contract source or ABI and check for these elements.
• Monitor transactions involving vesting contracts to detect if revocable vesting contracts are forwarding calls to protocol contracts, which should be disallowed in patched versions.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade the Graph protocol contracts to version 3.0.0 or later, where this vulnerability has been patched.

The patch removes the usedAmount tracking and disallows revocable vesting contracts from forwarding calls to protocol contracts, preventing unauthorized token usage.

If upgrading immediately is not possible, restrict or monitor interactions from revocable vesting contracts to prevent them from forwarding calls to protocol contracts.

Additionally, review and audit your token vesting contracts to ensure they do not allow double-spending of vested tokens or misuse of locked tokens.

Useful 0 Not Useful 0