Sablier

Summary

Sablier V2 is a token distribution protocol used by DAOs and businesses for vesting, payroll, airdrops, and more. Our flagship model is the linear stream, which distributes assets on a continuous, by-the-second basis.

A possible usecase is,
I wanna sign a compensation contract with a potential CEO of my company where he gets 100 million USDC ( read huge amount of any asset ) vested ( streamed linearly ) over 12 years with a 4 year cliff.

Vulnerability Details

Since these streams are long-lived, they need to be able to handle forks correctly. If someone generates an exchange(cex.io, huobi, binance) address as the stream recipient, that address may only be valid for that chain (e.g. exchange supports Ethereum but not Ethereum classic), and any funds sent to the unsupported chain are lost.

POC

There are no EIP-712 protections in the encoding:

Impact

If there's a fork, since anyone can call withdraw(), an attacker can monitor the blockchain for calls to withdraw(), and then make the same call with the same arguments on the other chain, which will send funds to the unsupported address.

Tools Used

Credit where it's due:
code-423n4 past report

Recommendations

Add EIP-712 protections and add a mechanism to allow tokens to be transferred to a different address using EIP-2612 permit()