Sablier

Summary

Malicious user can front-run transfer and withdraw funds Against recipient wiling.

Vulnerability Details

It is mentioned in the docs that unknown caller: "neither Sender nor Recipient but are allowed to trigger withdrawals on behalf of the recipients"
which is normal behavior but a malicious user can use this feature Against the recipient.
Malicious user can front-run transferFrom to withdraw streamId amount to recipient, this is a normal behavior but the problem occurs
when the recipient wants to transfer the NFT with withdrawable amount this means without withdrawing the funds.

Imagine this Scenario:

1. half of the time passed so the streamed amount is 50% Eg: 50 tokens

2. recipient can use withdrawMaxAndTransfer or transferFrom to transfer the NFT including withdrawals funds.
   lets see the difference between withdrawMaxAndTransfer and transferFrom:

   • withdrawMaxAndTransfer: it withdraws all the amount of withdrawable funds eg: 50% == 50 tokens and then transfers the NFT.

   • transferFrom : it transfers the ownership of NFT with the withdrawable funds (50% == 50 tokens if not claimed) to the new recipient.

3. but since the unknown Caller is allowed to withdraw funds to recipient without Permission he can front-run transferFrom when the recipient
   wants to transfer the NFT with withdrawable funds to new recipient.

4. and this goes against the recipient wiling.

5. it is mentioned in docs:

   "If you want to transfer ownership without withdrawing the funds, you can use the transferFrom function"
   https://docs.sablier.com/contracts/v2/guides/stream-management/transfer

   "The recipient can transfer the NFT to another address, and this also transfers the right to withdraw funds from the stream, including any funds already streamed"
   https://docs.sablier.com/concepts/protocol/nft

Second Scenario:

1. recipient wants to sell the NFT based on its withdrawable amount which is 100%.

2. malicious user withdraws recipient funds using withdraw function.

3. since the withdrawn amount cannot be sent again to NFT the NFT price will drop and lose it value.

4. This will expose users to not benefiting from the NFT.

Investors can use sablier to create their own NFT that may contain funds ready for sale.
For example, the NFT holds 100K and the investor wants to sell these funds ready in advance to someone who wants funds ready for quick use at
a price of 105K, in this case. The investor will not be able to sell this asset because the Unknown caller will simply withdraw these funds.

also the recipient will lose the feature of transferring the NFT with the withdrawable funds.

Impact

Malicious user can prevent recipient from transferring the NFT with the withdrawable amounts which can be an issue for the recipient.
and this makes transferFrom losing its feature which is the ability to transfer the NFT with the withdrawable amount.

POC: file test/integration/concrete/lockup-linear/create-with-timestamps/createWithTimestamps.t.sol

Tools Used

Manual

Recommendations

Only approved third party by recipient should be allowed to withdraw funds.