Sablier

DeFiFoundry

53,440 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Users may deploy `SablierV2MerkleLockup` with malicious `SablierV2Lockup` contracts trough official factory

EgisSecurity

Summary

SablierV2MerkleLockup is used to create system specific airstreams, which represents an "airdrop", but using sablier lockup streams to unlock the tokens in time. Currently it is possible to for users to create linear and tranche streams.
When a user create such airstream, he interacts with SablierV2MerkleLockupFactory and have to provide important parameters for the corresponding SablierV2MerkleLockup to be created. Also a user provides an arbitrary lockupTranched, or lockupLinear contract, which only has to implement ISablierV2LockupLinear, but may be a user deployed contract, which functions may execute any arbitrary data. The problem is that such malicious SablierV2Lockup contracts may be deployed using the original SablierV2MerkleLockupFactory, which would be emitted in SablierV2MerkleLockupFactory events.
This may have different impact, depending on the situation.

Vulnerability Details

Imagine the following scenario:

There is a initiative from sponsor A who is funding all SablierV2MerkleLockup contracts with X amount, if they set his address as admin and a specific merkleRoot of the deployed contract.
Sponsor is listening for CreateMerkleLT and CreateMerkleLL events emitted by the original SablierV2MerkleLockupFactory contract and sending the reward for the initiative to the deployed merkleLookup contract.
A malicious users sees the opportunity and deploy a contract, which implements ISablierV2LockupTranched contract, but when createWithDurations is called, it only transfer all funds from msg.sender to an address owned by him.
Malicious user calls createMerkleLT passing his malicious contract and admin address of the sponsor.
Factory emits the event and sponsor send the funds, because event matches the requirements
Now when sponsor try to claim with a merkle proof, the funds will only get transferred to the malicious party

Impact

Bad reputation for the protocol
Possibility of funds being lost

Tools Used

Manual Review

Recommendations

Implement a whitelist of trusted lockup contracts, which may be used when deploying a SablierV2MerkleLockup contract.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Known issue

Assigned finding tags:

Known - Contest Details

https://www.codehawks.com/contests/clvb9njmy00012dqjyaavpl44

Prize pool breakdown

Total prize

53,440 USDC

nSLOC

2,655

20 USDC / LOC

High Medium

45,000 USDC

Low

3,100 USDC

Judges

5,340 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.