Summary

When deploying a SablierV2MerkleLL contract via the SablierV2MerkleLockupFactory, if the deployment fails (e.g., due to out-of-gas errors or invalid constructor parameters), the deployer will lose the gas fees spent on the deployment attempt. This loss occurs because the factory contract does not handle failed deployments, leading to the consumption of gas without successfully deploying the contract.

Vulnerability Details

The createMerkleLL function in the SablierV2MerkleLockupFactory deploys a new SablierV2MerkleLL contract using
the new keyword. This deployment process involves the execution of the constructor of SablierV2MerkleLL,
which initializes various state variables and sets up token approvals.

However, if the deployment fails (e.g., due to out-of-gas errors or invalid constructor parameters), the transaction will revert. While this reversion ensures that no erroneous state changes occur, the gas used for the deployment attempt is still consumed and not refunded. As a result, the deployer incurs a financial loss in the form of gas fees.

Impact

The primary impact of a failed deployment is the loss of gas fees spent during the deployment attempt.
Since the factory contract does not handle deployment failures within a try/catch block, the deployer
must bear the full cost of the gas consumed.

Proof of Concept:

Consider the deployment scenario where the gas estimation is insufficient or constructor parameters are invalid.

If the deployment fails, the gas fees spent on the attempt are lost, and the deployer receives no refund for the consumed gas.

Tools Used

VS Code/Foundry

Recommendations

To mitigate the risk of losing gas fees during deployment failures, consider implementing the
deployment logic within a try/catch block. This approach will allow handling deployment failures
gracefully and potentially retrying the deployment or handling a failed deployment correctly.