Sablier
Sablier
DeFiFoundry
53,440 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

`onlyAdmin` can clawback even after the grace period is over.

ctrus

Summary

Admin can clawback even after the grace period is passed.

Vulnerability Details

The SablierV2MerkleLockup::clawback has a if block which has 2 conditions to be met in order to execute the code inside. There are few conditions which have to be met in order to make a clawback.

  1. The grace period should not be passed(i.e. 7 days after the first claim has been made)

  2. campaign must be expired.
    But the problem is with the && operator used in the block. There is one particular condition when "the grace period is over and the campaign has expired", When this happens the if block would'nt execute as one of its conditions fail. and this way the onlyAdmin role would be able to make a clawback even when the grace period is passed.

if (_hasGracePeriodPassed() && !hasExpired()) {
revert Errors.SablierV2MerkleLockup_ClawbackNotAllowed({
blockTimestamp: block.timestamp,
expiration: EXPIRATION,
firstClaimTime: _firstClaimTime
});
}

Impact

The onlyAdmin role can make a clawback even when the grace period is passed and can transfer tokens to the to address even when the docs say it can't as the grace period is passed. This is unfair transfer of tokens and unfair advantage to role onlyAdmin.

Tools Used

Manual Analysis

Recommendations

Use || operator instead of && inside the if block.

- if (_hasGracePeriodPassed() && !hasExpired()) {
+ if (_hasGracePeriodPassed() || !hasExpired()) {
revert Errors.SablierV2MerkleLockup_ClawbackNotAllowed({
blockTimestamp: block.timestamp,
expiration: EXPIRATION,
firstClaimTime: _firstClaimTime
});
}
Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.