Summary

When a campaign initiator wants to create a linear or tranched airstream, he calls SablierV2MerkleLockupFactory::createMerkleLL, SablierV2MerkleLockupFactory::createMerkleLT, however these functions use the CREATE method (can be seen in the provided github permalinks) where the address derivation depends only on the SablierV2MerkleLockupFactory nonce. This is susceptible to reorg attacks.

Vulnerability Details

As mentioned in the report's title, reorgs can occur in all EVM chains and most likely on L2's like Arbitrum or Polygon, and as stated in the protocol's README Sablier is compatible with "Any network which is EVM compatible", here are some reference links for some previous reorgs that happened in the past:

Ethereum: https://decrypt.co/101390/ethereum-beacon-chain-blockchain-reorg - 2 years ago

Polygon: https://polygonscan.com/block/36757444/f?hash=0xf9aefee3ea0e4fc5f67aac48cb6e25912158ce9dca9ec6c99259d937433d6df8 - 2 years ago, this is with 120 blocks depth which means 4 minutes of re-written tx's since the block rate is ~2 seconds
https://protos.com/polygon-hit-by-157-block-reorg-despite-hard-fork-to-reduce-reorgs/ - February last year, 157 blocks depth

Optimistic rollups (Optimism/Arbitrum) are also suspect to reorgs since if someone finds a fraud the blocks will be reverted, even though the user receives a confirmation.

These are the biggest events of reorgs that happened, here is a link for forked blocks, which means excluded blocks as a result of "Block Reorganizations" on Polygon: https://polygonscan.com/blocks_forked?p=1, where can be observed that at least two-digit block reorgs happen every month.

The vulnerability here is that airstream creators rely on address derivation in advance or when trying to deploy the same address on different chains, any funds sent to the airstream can be stolen.

Proof-Of-Concept:

Imagine the following scenario:

1. Alice deploys a new Airstream and funds it.

2. Bob has an active bot that observes the blockchain and alerts in reorg.

3. Bob calls one of the forementioned create functions

4. Thus an Airstream is created with an address to which Alice sends tokens.

5. Finally Alice's tx is executed and an Airstream is funded which Bob controls.

6. Bob immediately calls SablierV2MerkleLockup::clawback and transfers the tokens to himself.

Impact

Impact: High - funds provided by the creator can be stolen
Likelihood: Low - as it requires an event of block reorganizations and as the creator of the stream has an option to not fund it immediately.
Overall: Medium

Tools Used

Manual Review

Recommendations

Deploy the newly created Airstreams via CREATE2 with salt that inlcudes msg.sender.