Summary

Considering Sablier is compatible with any evm chain, this unfortunately opens up the below scenario.
In multi-chain deployments, the claim function in the SablierV2MerkleLL & SablierV2MerkleLT contract is vulnerable to front-running and Cross Chain replay attacks.

Vulnerability Details

The claim function in SablierV2MerkleLL relies on Merkle proofs to validate claims. The function generates a Merkle tree leaf by hashing the claim parameters, which are then checked against the Merkle root.

Multi-Chain Deployment and Forks:

The SablierV2MerkleLL contract is designed to be deployed on multiple EVM-compatible chains.
This creates a risk scenario where the same Merkle proof could be used to claim tokens on different chains or forks.

An attacker monitors the mempool across different chains. When a recipient submits a claim transaction on one chain, the attacker replicates it on another chain where the contract is also deployed. This allows the attacker to potentially claim tokens on the other chain before the legitimate recipient.

During a chain fork, the attacker monitors transactions on the shorter fork. If a recipient’s claim transaction appears on the shorter fork, the attacker can replicate it on the longer fork. The attacker's transaction on the longer fork is processed, allowing them to claim tokens before the legitimate recipient when the shorter fork is discarded.

Impact

If a claim is made with an incorrect recipient address due to differences across chains, the tokens will be lost or misdirected.

Tools Used

Foundry

Recommendations

EIP-712 Signatures.

Use EIP-712 signatures to ensure each claim is unique to the specific chain and contract. This prevents attackers from replaying transactions across different chains.

Chain ID Verification
Include chain ID verification within the claim function to ensure that claims are only valid on the intended chain.