Finding a Critical Logic Flaw in Legion Protocol’s Epoch Vesting

By RimDinov ( @rdin777 ) While performing a deep-dive security audit of the Legion Protocol, I identified a critical vulnerability in their linear epoch-based vesting contract. This flaw isn't just a minor edge case — it’s a fundamental logic error that can lead to permanent loss of user funds and broken protocol invariants. In this article, I’ll break down how the vulnerability works, why the math fails, and how I built a Proof-of-Concept (PoC) using Foundry to prove it. The Architecture: Epoch vs. Linear Vesting Most vesting contracts use a simple linear formula based on block.timestamp. However, Legion implemented an Epoch-based approach. Tokens are unlocked in "chunks" (epochs) rather than every second. While this design can be useful for certain tokenomics, its implementation in LegionLinearEpochVesting.sol introduced a dangerous state dependency. The Vulnerability: State-Dependent Vesting Math The core issue lies in the _vestingSchedule function. Instead of being a pure function