OZolio

The wallets tokenAllocation "_T" is first divided before being multiplied, this will lead to the allocation being rounded down before being multiplied

The nonce increment mechanism is improperly implemented, resulting in nonces never being incremented. This completely breaks the replay protection mechanism of the meta-transaction system.The vulnerability stems from the misuse of the post-increment operator (++). In Solidity, when using post-increment, the following sequence occurs:
The current value is returned
The value is incremented
The returned value (pre-increment) is assigned back to the variable
Therefore:
If nonce starts at 0
nonces[userAddress]++ returns 0 and increments to 1
nonces[userAddress] =  then assigns 0 back
The nonce effectively never changes

One issue is that the contract does not utilize the __Ownable2StepUpgradeable_init() function, designed to facilitate a two-step ownership transfer process. Without this mechanism, ownership transfers occur immediately, exposing the contract to potential risks. The two-step process enhances security by requiring a confirmation step before ownership is fully transferred, thereby reducing the likelihood of unauthorized access or control over the contract.

Add the sanity checks and best practices that make the contract more robust SafeERC20: Replaced direct token.transfer() with token.safeTransfer() to prevent issues with tokens that don't return true on successful transfers.Non-Negative N Check: Added a require(N >= 0, ...) check before converting N to a uint256 in claimableAmount() to prevent unexpected behavior if the vesting calculation results in a negative claimable amount.