Sablier
Sablier
DeFiFoundry
53,440 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

approved user call `withdrawMaxAndTransfer` will revert()

twcctop

Summary

approved user call withdrawMaxAndTransfer will revert() , while he has to do this by two step,
function withdraw and then transfer

Vulnerability Details

Let's look at function withdrawMaxAndTransfer:

function withdrawMaxAndTransfer(
uint256 streamId,
address newRecipient
)
external
override
noDelegateCall
notNull(streamId)
{
// Check: the caller is the current recipient. This also checks that the NFT was not burned.
@> address currentRecipient = _ownerOf(streamId);
if (msg.sender != currentRecipient) {
revert Errors.SablierV2Lockup_Unauthorized(streamId, msg.sender);
}

only stream owner (receiver) can call this function.
Now let's look at function withdraw

function withdraw(
uint256 streamId,
address to,
uint128 amount
)
public
override
noDelegateCall
notNull(streamId)
updateMetadata(streamId)
{
...
@> if (to != recipient && !_isCallerStreamRecipientOrApproved(streamId)) {
revert Errors.SablierV2Lockup_WithdrawalAddressNotRecipient(streamId, msg.sender, to);
}

it checks if the caller is the recipient or approved user.
Besides, once approved user can transfer the nft.
The issue is, the approved user can not call withdrawMaxAndTransfer directly, he has to call withdraw first and then transfer the nft.

Impact

the approved user can not call withdrawMaxAndTransfer directly, he has to call withdraw first and then transfer the nft.

Tools Used

manual

Recommendation

make sure the withdrawMaxAndTransfer and withdraw has same permission check.

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.