Summary

The protocol claims to support all types of ERC20 tokens. However, in certain cases, users may be blacklisted by specific tokens, which can result in the loss of funds.

Vulnerability Details

Blacklisted users are unable to send or receive tokens. Consequently, if a user is blacklisted, two primary issues may arise:

1. Withdrawal Issues: If a blacklisted user attempts to withdraw funds from a stream using any of the withdrawal functions, which invoke the internal SablierV2Lockup::_withdraw function, the operation will fail due to the ERC-20 transfer call:

This will revert the transaction, preventing the user from receiving their funds.
However, if the stream is transferable, users can transfer the NFT and withdraw their funds from a different wallet.

2. Cancellation Issues: If the sender is blacklisted, they will be unable to call SablierV2Lockup::cancel under any circumstances, as the SablierV2Lockup::_cancel function attempts to send tokens directly to the sender:

Impact

A blacklisted user may lose access to their funds, leaving them locked in the contract.

Tools Used

Manual review

Recommendations

1. Implement a mechanism to specify an alternate address for receiving funds, with appropriate access controls for the recipient and sender.

2. Add a function allowing the sender to change the stream's sender address, restricted to the sender only.