Summary

The protocol aims to facilitate the buying, selling, and trading of streams (represented as NFTs). However, a malicious user might exploit this feature to defraud buyers by front-running their purchase and withdrawing the available funds.

Vulnerability Details

The ERC721::transferFrom, ERC721::safeTransferFrom or any of it's transfer functions does not enforce a minimum withdrawable balance on the stream, allowing a malicious user to:

1. List an NFT with a withdrawable amount of 𝑥 tokens at a discounted price, for instance, 0.8𝑥 (20% off).

2. Another user (User2) sees this discounted stream and purchases it for 0.8𝑥 perceiving it as a risk-free trade.

3. The malicious user then front-runs User2's purchase transaction and calls the SablierV2Lockup::withdrawMax function.

4. Since User2's transaction does not account for this "slippage," it proceeds, leaving User2 with a stream that has zero withdrawable funds while the malicious user gains both the 0.8𝑥 from the sale and 1𝑥 from the withdrawal.

Impact

This front-running vulnerability allows scammers to defraud users, resulting in significant financial losses. Over time, this could reduce user trust and the popularity of trading streams within the protocol.

Tools Used

Manual Review

Recommendations

1. override the transfer functions and implement a Slippage Mechanism: Add a slippage mechanism to the transfer functions to ensure buyers receive at least a minimum withdrawable amount of tokens. For example (pseudo code):

2. Automatic Withdrawal During Sale: Modify the logic so that funds are automatically withdrawn for the previous recipient during a sale.