Lack of Try/Catch Mechanism Leads to Total Gas Loss if Any Transactions Fail
Summary
There are several functions that can be used to send multiple transactions at once. One of them is creating an AirStream airdrop like SablierV2BatchLockup::createWithDurationsLL, which is limited to 50,000 transactions. If a protocol attempts to send the transactions and the 49,999th transaction fails, the entire process starts from 0. This causes all the transactions to revert, resulting in the creator losing a substantial amount of money in gas fees.
Vulnerability Details
The reasons for this transaction failure can be varied, from misconfiguration to a unique user being part of the blocklist. In the case of SablierV2LockUp::withdrawMultiple, the token transfer could fail. All these transactions are processed one by one in a loop, and if any one of them reverts, the main transaction reverts, causing all consumed gas to be lost for the sponsor.
Several reasons can cause this revert for each case. e.g. Invalid streamer ID, amount, etc.
Impact
The caller loses a substantial amount of money in gas fees.
Tools Used
Manual code review
Recommendations
Use try/catch in all the mentioned functions to handle any invalid issues.
A sample implementation would look like the following:
This ensures that if any individual transaction fails, the error can be caught and handled appropriately, preventing the entire batch of transactions from reverting and resulting in gas loss.
Lead Judging Commences
Info/Gas/Invalid as per Docs
https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.