Addresses included in the blocklist will cause `SablierV2Lockup::withdrawMultiple()` always revert
Summary
SablierV2Lockup::withdrawMultiple() allows anyone to withdraw multiple streamID. But this will be a problem if the asset used is a token with a blocklist function (e.g. USDC, USDT). If one of the streamID owners / recipients is an address included in the blocklist then this will make the withdrawMultiple() function always revert.
Vulnerability Details
Alice create the stream with Bob as recipient (
USDCorUSDTas asset)For one reason or another, Bob's address listed on the stream is included in the blocklist
In this way, whoever enters Bob's
streamIDas the recipient, the withdrawal transaction will be revert
Impact
SablierV2Lockup::withdrawMultiple() always revert if there is an address that is included in the blocklist for that transaction
Note : This also affects single withdrawals, single cancel() and cancelMultiple()
Tools Used
Manual Review
Recommended Mitigation
Consider quick delete or cancel streamID that have addresses listed on the blocklist
Lead Judging Commences
Info/Gas/Invalid as per Docs
https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.