The function SablierV2LockupLinear::_calculateStreamedAmount
does not verify whether startTime is greater than blockTimestamp. This oversight means that if the current stream has not yet started, invoking _calculateStreamedAmount
will result in an error and a revert. This could potentially lead to Denial of Service (DoS) vulnerabilities.
The SablierV2LockupLinear::_calculateStreamedAmount
function does not check whether startTime
is greater than blockTimestamp
. This situation causes an elapsedTime math operations to underflow specifically in the calculation ud(blockTimestamp - startTime)
. Although it verifies if cliffTime > blockTimestamp
, the absence of a check for startTime
can lead to an error during the conversion of streamedAmount
from UD60x18 to uint256. This oversight can result in a Denial of Service (DoS) vulnerability under certain conditions.
This issue affects almost all functions that inherit _calculateStreamedAmount
, including SablierV2Lockup::refundableAmountOf
, SablierV2Lockup::_streamedAmountOf
, and SablierV2Lockup::_cancel
(as well as SablierV2Lockup::cancel
). When these functions are invoked before the stream has started, they can encounter errors, potentially disrupting their normal operation and exposing the contract to DoS attacks.
Proof of Concept for [Potential DoS in calculateStreamedAmount function with certain conditions]
calculateStreamedAmount doesn't check whether startTime
is greater than blockTimestamp
.
Please paste code below in new file:
Test file:
And you will get this error:
[FAIL. Reason: PRBMath_MulDiv_Overflow(115792089237316195423570985008687907853269984665640564039457584007913129639935 [1.157e77], 1000000000000000000 [1e18], 30)] test_CalculateStreamedAmount() (gas: 8733)
If the sender inputs the wrong recipient, they will be unable to cancel the stream until it has started, leading to potential loss. For example, if the sender sets up a stream of 500,000 with a one-day duration, and the stream begins for only 10 seconds, approximately 57.87 will be sent to the unintended recipient.
Sender will unable to cancel the stream if the stream's status is pending. This does not reflect what is written in the docs where ISablierV2Lockup::cancel
could be implemented while the status is warm (Pending and Streaming).
SablierV2Lockup::_streamedAmountOf
will always return error if the stream's current status is pending.
SablierV2Lockup::refundableAmountOf
will return error if isCancelable == true
and isDepleted == false
because _calculateStreamedAmount used in the math operation for refundableAmount variable.
Manual Review
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.