Summary

SablierV2MerkleLT is used to create system specific airstreams, which close to an airdrop, but using sablier lockup streams to unlock the tokens in time. Currently it is possible to for users to create linear and tranche streams.

Vulnerability Details

The problem is that there is no guarantee what amount of the corresponding ERC20 token is inside the SablierV2MerkleLockup contract, which means that if there is not enough for all users with merkle proof, tokens would be distributed by "first-come-first-serve", which is not fair. This is the case, because when claim is called, corresponding lockupStream will try to send corresponding amount from msg.sender(in this case SablierV2Merkle contract). And if the case is such that the cotract doesn't have enough funds for all claimers, some of them looses. The following may be used as honeyp pot attack by malicious creator, who promises prize distribution and showing as proof merkle root with claims, or funds in the contract.

Impact

Unfair reward distribution

Tools Used

Manual Review

Recommendations

We cannot mitigate this concern in 100%, because merkle part is off chain and there could always be infinet proofs for the correponding merkle tree.

So one solution would be to store merkle tree on-chain and so on SablierV2MerkleLockup creation a transferFrom with the amount of all leafs should be done. By this, there would be guarantee for no inconvenient scenarios.