Sablier

Summary

The SablierV2MerkleLockup::clawback function is used to rescue the owner's funds if the campaign has not expired and the grace period has not ended. However, the recipients can prevent the transaction from being executed and thereby prevent funds from being rescued.

Vulnerability Details

If the creator of the airdrop campaign wants to rescue their funds, they can call SablierV2MerkleLockup::clawback and set the amount the contract holds at that moment, for example. However, a user can call SablierV2MerkleLL::claim or SablierV2MerkleLT::claim before this, changing the contract's balance and causing the clawback to fail.

This can become a bigger issue when beneficiaries provide values (index, recipient, amount, merkleProof) to an external party. Since the claim function is external and anyone with the correct values can call it, a third party can execute this transaction. The benefit of doing this is to claim with a low gas fee, hoping that the network is not congested, and prevent the airdrop creator from withdrawing the contract's funds.

If the creator calls SablierV2MerkleLockup::clawback , a third party can frontrunning the transaction and call claim multiple times as needed, reducing the contract's balance below the amount set by the creator when they sent their transaction, and causing the clawback to fail due to insufficient balance.

This scenario happen when expiration time is greather than the grace period, allowing the recipient call claim because the SablierV2MerkleLockup::_checkClaim pass. And then, when the grace period ends, the airdrop creator cannot rescue the funds.

Impact

The airdrop creator may be unable to claw back their funds.

Tools Used

• Manual code review

Recommendations

1. Only allow the claim function to be executed by the recipient to make it more difficult to prevent the clawback, thereby reducing the chances of interference.

2. allow private RPC service like secureRpc , MEVBlocker or flashbot