Sablier

DeFiFoundry

53,440 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Possible merkelProof replay attack in SablierV2MerkleLL

jennifersun

Summary

In Sablier, we use merkelProof to verify users' signature. In each SablierV2MerkleLL/SablierV2MerkleLT, one merkel root is initialized. If two SablierV2MerkleLT share the same merkelRoot, we can use one SablierV2MerkleLT's merkelproof to claim in another SablierV2MerkleLT.

Vulnerability Details

In SablierV2MerkleLL/SablierV2MerkleLT, we use merkel proof method to verify users' validation.

function claim(

uint256 index,

address recipient,

uint128 amount,

bytes32[] calldata merkleProof

)

external

override

returns (uint256 streamId)

{

// Generate the Merkle tree leaf by hashing the corresponding parameters. Hashing twice prevents second

// preimage attacks.

bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(index, recipient, amount))));

// Check: validate the function.

_checkClaim(index, leaf, merkleProof);

.......

}

function _checkClaim(uint256 index, bytes32 leaf, bytes32[] calldata merkleProof) internal {

......

// Check: the input claim is included in the Merkle tree.

if (!MerkleProof.verify(merkleProof, MERKLE_ROOT, leaf)) {

revert Errors.SablierV2MerkleLockup_InvalidProof();

}

Sablier will make use of MerkleProof.verify to verify. The key of verification is MERKLE_ROOT. Considering if there're two or several SablierV2MerkleLL/SablierV2MerkleLT, share the same merkel root, and the leaf information doesnot contain any information with this specific SablierV2MerkleLT/SablierV2MerkleLL.

bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(index, recipient, amount))));

We can use one merkelProof in one SablierV2MerkleLL to verify in another SablierV2MerkleLL to claim some airdrops.

If Sablier plans to deploy in multi-chain, merkelProof may be used to replay in cross-chain case.

Impact

MerkelProof can be replayed to earn more airdrops.

Tools Used

Manual

Recommendations

Contain some more specific information in merkel tree's leaf.

Updates

Lead Judging Commences

inallhonesty Lead Judge

about 1 year ago

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Known issue

Assigned finding tags:

Known - Contest Details

https://www.codehawks.com/contests/clvb9njmy00012dqjyaavpl44

Prize pool breakdown

Total prize

53,440 USDC

nSLOC

2,655

20 USDC / LOC

High Medium

45,000 USDC

Low

3,100 USDC

Judges

5,340 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.