Sablier

Summary

There is a potential Denial of Service (DoS) vulnerability in the SablierV2Lockup.sol contract, specifically in the withdraw function.

Vulnerability Details

In SablierV2Lockup.sol:395, the contract attempts to invoke the onLockupStreamWithdrawn hook on the sender contract if certain conditions are met. However, this operation is performed within a try/catch block, which means that any potential revert from the hook will be caught and suppressed.

If the sender contract is malicious or has a flawed implementation, it can consume all the remaining gas during the execution of the onLockupStreamWithdrawn hook, effectively blocking the withdrawal operation. This is because the withdraw function has the updateMetadata modifier which will try to emit the MetadataUpdate event after the execution of the function, consuming all the gas would make this emission to revert.

Impact

If a malicious sender contract is involved, it can prevent legitimate users from withdrawing their funds from the stream by consuming all the remaining gas during the execution of the onLockupStreamWithdrawn hook. This can lead to a Denial of Service (DoS) situation, where users are unable to access their funds indefinitely.

Tools Used

Manual Review

Recommendations

To mitigate this vulnerability, it is recommended to either:

1. Implement a gas limit or a fixed amount of gas to be forwarded to the onLockupStreamWithdrawn hook, preventing it from consuming all the remaining gas and potentially causing a DoS.

2. Emit the MetadataUpdate before calling the onLockupStreamWithdrawn hook, making sure the call of the hook is the last action the execution flows makes.

By implementing one of these recommendations, the risk of a malicious sender contract causing a Denial of Service can be mitigated, ensuring that legitimate users can reliably withdraw their funds from the stream.