Vesting Pallet Design Flow

Parity has identified that users can bypass vesting restrictions. Please find the details below.

Affected System: Runtime
Vulnerability Type: Design Flow
Version(s) Affected: 0.9.42
Discovery Method: Internal Audit


The vesting pallet was designed with restrictions on locked funds; users cannot transfer funds until the vesting schedule allows. However, a bug exists which allows transaction fees and tips to be deducted from the unvested balance.


This was addressed in paritytech/substrate#12109 and extra efforts have been made to document WithdrawReasons in paritytech/substrate#13964. Ensure your runtime is configured correctly so users cannot spend vesting funds on tips, unless that is desired behaviour.


None. As a note on WithdrawReasons in the future, once the transition from Currency to fungible::* is complete, it will be possible to completely drop the WithdrawReasons type.

Team Involved

FRAME team and Parity AppSec team

1 Like

Somewhat of a misrepresentation in my opinion: This is not a but but rather a potential mis-parameterization.

Thanks for sharing the vulnerability. I have a few feedbacks though:

  • Similar to the text, I find the title of this post quite confusing and not really representative. I first thought this is a random comment on the pallet rather than a vulnerability disclosure. I am also not sure what you mean by “flow”. You probably meant flaw.

  • Even if you correct the text and title, I think vulnerability disclosure without an index to track the history and full list is not very useful. This post will be forgotten in time, but the lesson to parameterize this pallet correctly needs to persist. Instead of solely shooting an update here, I suggest creating a CVE style index of all known vulnerabilities and their disclosures process, and keep it somewhere easy to find (eg. Github wiki).

I am suggesting you to think about: How is this forum post going to remain easily discoverable to a new FRAME dev about to launch a chain in 1y? As it stands, it probably won’t.

UPDATE: @VinceCorsica’s comment here seem to address some of the feedback: Improving the substrate/ecosystem vulnerabilities disclosure - #18 by VinceCorsica