Sablier

Sablier
DeFiFoundry
53,440 USDC
View results
Submission Details
Severity: high
Invalid

`_mint` can mint NFT to the recipient more than once

Summary

_minting of NFT does not check if the recipient has already received the NFT, thereby causing the same recipient to receive NFT more than once

Vulnerability Details

Line _mint({ to: params.recipient, tokenId: streamId }); in SablierV2LockupLinear::_create, SablierV2LockupDynamic::_create, SablierV2LockupTranched::_create, does not have a validation to check if the recipient has already received the NFT.

In the subsequent lines, the safeTransferFrom calls can fail due to out-of-gas conditions but the _mint step will still persist. If the call is made again to rectify the failed safeTransferFrom calls, the _mint function would be called again, causing the recipientto receive NFT more than once

Impact

The recipient can receive NFTs more than the once (or the intended time)

Tools Used

Manual Review

Recommendations

Introduce the following mapping _mintedNFTs as a state variable and two new functions _isNFTMinted and _mintWithCheck

mapping(uint256 => address) private _mintedNFTs;
function _isNFTMinted(uint256 streamId, address recipient) internal view returns (bool) {
return _mintedNFTs[streamId] == recipient;
}
function _mintWithCheck(uint256 streamId, address recipient) internal {
require(!_isNFTMinted(streamId, recipient), "NFT already minted for this recipient and stream ID");
_mintedNFTs[streamId] = recipient;
_mint(recipient, streamId);
}

call the _mint function like so:

-_mint({ to: params.recipient, tokenId: streamId })
+_mintWithCheck(streamId, params.recipient);
Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.