`SablierV2LockupDynamic::_calculateStreamedAmountForMultipleSegments` does not take into account payments that are due now
Summary
The _calculateStreamedAmountForMultipleSegments in SablierV2LockupDynamic.sol will not take into account a user's segment amount if block.timestamp equals currentSegmentTimestamp
Vulnerability Details
The function _calculateStreamedAmountForMultipleSegments calculates the current user's amount that he has and can withdraw. The problem is that the while loop will skip 1 of the payments if the currentSegmentTimestamp equals blockTimestamp
This is how the while loop inside the function looks like:
It loops until the currentSegmentTimestamp is less than blockTimestamp which means that if they are equal it will exit out. This is a problem because the payment that is due now is not taken into account and if a user tries to withdraw now and his last payment is due now it will be skipped and the user will have to reinvoke the function again or will think that he has to wait more until his payment comes
Impact
This leads to a user not being able to receive his full amount in some cases when currentSegmentTimestamp equals blockTimestamp. If a user has a payment and it unlocks now, he should have access to it.
Tools Used
Manual review
Recommendations
Change the while loop to include the payments that are due now
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.