When a campaign initiator wants to create a linear or tranched airstream, he calls SablierV2MerkleLockupFactory::createMerkleLL
, SablierV2MerkleLockupFactory::createMerkleLT
, however these functions use the CREATE method (can be seen in the provided github permalinks) where the address derivation depends only on the SablierV2MerkleLockupFactory
nonce. This is susceptible to reorg attacks.
As mentioned in the report's title, reorgs can occur in all EVM chains and most likely on L2's like Arbitrum or Polygon, and as stated in the protocol's README Sablier is compatible with "Any network which is EVM compatible", here are some reference links for some previous reorgs that happened in the past:
Ethereum: https://decrypt.co/101390/ethereum-beacon-chain-blockchain-reorg - 2 years ago
Polygon: https://polygonscan.com/block/36757444/f?hash=0xf9aefee3ea0e4fc5f67aac48cb6e25912158ce9dca9ec6c99259d937433d6df8 - 2 years ago, this is with 120 blocks depth which means 4 minutes of re-written tx's since the block rate is ~2 seconds
https://protos.com/polygon-hit-by-157-block-reorg-despite-hard-fork-to-reduce-reorgs/ - February last year, 157 blocks depth
Optimistic rollups (Optimism/Arbitrum) are also suspect to reorgs since if someone finds a fraud the blocks will be reverted, even though the user receives a confirmation.
These are the biggest events of reorgs that happened, here is a link for forked blocks, which means excluded blocks as a result of "Block Reorganizations" on Polygon: https://polygonscan.com/blocks_forked?p=1, where can be observed that at least two-digit block reorgs happen every month.
The vulnerability here is that airstream creators rely on address derivation in advance or when trying to deploy the same address on different chains, any funds sent to the airstream can be stolen.
Proof-Of-Concept:
Imagine the following scenario:
Alice deploys a new Airstream and funds it.
Bob has an active bot that observes the blockchain and alerts in reorg.
Bob calls one of the forementioned create functions
Thus an Airstream is created with an address to which Alice sends tokens.
Finally Alice's tx is executed and an Airstream is funded which Bob controls.
Bob immediately calls SablierV2MerkleLockup::clawback
and transfers the tokens to himself.
Impact: High - funds provided by the creator can be stolen
Likelihood: Low - as it requires an event of block reorganizations and as the creator of the stream has an option to not fund it immediately.
Overall: Medium
Manual Review
Deploy the newly created Airstreams via CREATE2
with salt
that inlcudes msg.sender
.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.