Possible honeypot attacks on secondary exchanges
Summary
Honeypot attacks could be possible for NFT sales for sablier
Vulnerability Details
In sablier all users that get streamed tokens upon creation will be minted a sablier NFT. This NFTs are tradeable, for example, see here.
This opens up a possible honey pot on secondary market for NFT sales. This opens up two scenarios for a honeypot attack
The previous recipient (i.e. owner of the NFT) can essentially list a NFT for sale for the supposed value of the amount yet to be streamed, and right before the sale of the token, initiate a withdrawal via
withdraw()/withdrawMax()for the max possible withdrawable amount, profitting from the sale and retaining a portion of the streamed amount.
A malicious user can set-up multiple very profitable streaming for a self-owned recipient address, and list the NFT for sale on secondary exchanges. Right before the sale of the token, abuse their permissions as the stream sender to call
cancel()/cancelMultiple, where-in they are refunded the unstreamed amounts computed assenderAmount, essentially selling an NFT for a valuation that assumes there is still streaming, but instead receives a NFT that no longer streams funds.
Impact
Malicious streamers/recipients can abuse permissions to perform honeypot attacks for NFT sales
Tools Used
Manual Analysis
Recommendations
Burn the streaming NFT when cancel is called.
Lead Judging Commences
NFTs integration with DEFI projects (market, lending etc) can be exploited/won't work
NFTs integration with DEFI projects (market, lending etc) can be exploited/won't work
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.