Sablier

DeFiFoundry

53,440 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

if the recipient of stream is blacklisted by USDC, then withdraw or withdrawMultiple will fail

ihtishamsudo

Summary

function withdraw and withdrawMultiple will be reverting if any of the recipient of the stream is blacklisted by USDC.

Vulnerability Details

Sablier is ERC-20 Distribution protocol that distribute ERC-20 tokens to the recipient over time.
And when talking about ERC-20 distribution most widely adopted ERC20s are USDC, DAI, and USDT. Even USDC is featured in the homepage of Sablier. USDC, USDT has some additional features as compared to other ERC-20 tokens. One of the features is blacklisting.

withdraw and withdrawMultiple withdraw assets from the stream(s) to the recipient(s).

These are publically called functions but these functions will only stream rewards to the recipients.
withdrawMultiple counts the streamIDs and execute withdraw for each streamID.

This function after performing necessary checks further call internal function _withdraw which will actually transfer the assets to the recipient.

This function rerieves assets from stream and transfer assets to the recipient.

As most of the distributions will be done in USDC, USDT and it's possible that a recipient got blacklisted by USDC due to any malicious activity he/she performed. In that case, the recipient will always revert whenever internal function _withdraw will try to send the assets to the recipient.

And for updating the recipient, withdrawMaxAndTransfer which will also revert because it first transfer assets to the current recipient (which got blacklisted already) and then update the recipient.

Impact

If any of the recipient got blacklisted entire withdrawMultiple will revert and none of the recipient will be able to recieve assets from the stream.
if withdraw is called directly for withdrawing assets for single streamID and the recipient is blacklisted by USDC, then the transaction will revert.
In this case, entire withdrawal process got broken.

Tools Used

Manual Review

Recommendation

Withdraw Mechanism needs to be redesigned. Let the stream owner update recipient without withdrawing it to the current blacklisted recipient.

Additional Instance

if sender got blacklisted cancel(), cancelMultiple() won't work

Updates

Lead Judging Commences

inallhonesty Lead Judge

about 1 year ago

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Assigned finding tags:

Info/Gas/Invalid as per Docs

https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity

ihtishamsudo Submitter

about 1 year ago

inallhonesty Lead Judge

about 1 year ago

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

Info/Gas/Invalid as per Docs

https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity

Prize pool breakdown

Total prize

53,440 USDC

nSLOC

2,655

20 USDC / LOC

High Medium

45,000 USDC

Low

3,100 USDC

Judges

5,340 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.