Some ERC20 tokens do not allow `type(uint256).max` for approval.
Summary
The Sablier periphery factory contract allows users to create Airstream contracts and fund them through ERC20 transfers, so claimers can later claim the tokens through streams funded by these Airstream contracts. However, these contracts use the type(uint256).max value for ERC20 approval, which some tokens do not allow.
Vulnerability details
The SablierV2MerkleLockupFactory::createMerkleLL and SablierV2MerkleLockupFactory::createMerkleLT functions allow users to create Airstream contracts, but in the constructor of these contracts, the protocol uses type(uint256).max for approval of the Airstream asset token.
Some ERC20 tokens do not allow this functionality and revert on more than max uint96 approval.
Impact
Protocols or users who want to use Sablier for Airstream tokens will not be able to do so for these types of tokens because the above line of code will revert and will not allow them to create Airstream contracts.
Tools Used
Manual Review
Recommended Mitigation Steps
Use the type(uint96).max value, which all tokens support.
Lead Judging Commences
ERC20 UNI and COMP Revert on Large Approvals
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.