Late claimers can be DoS'd and do not claim their deserved airdrop leading to stuck funds in `SablierV2MerkleLockup`
Summary
Claimers that will try to claim their airdrop some blocks before the EXPIRATION timestamp can be DoS'd by validators and/or malicious users and eventually not create their stream
Vulnerability Details
Aidrops in Sablier have EXPIRATION timestamp (if it is 0, they basically do not expire). The check of whether an airdrop is expired is done by hasExpired function which is called by _checkClaim function :
However, this check is vulnerable to DoS attacks. If a claimer tries to claim their airdrop some blocks before the EXPIRATION timestamp, validators can delay the block creation and/or not include the claimer's transaction in the block. Also, malicious users can spam the network with little 1 wei transactions so the claimer's transaction is not included in the next block(s). Of course, this can not be done long term, but it can be done for a short period of time and as a result the claimer will be prevented from creating their stream.
Impact
This vulnerability leads to some claimers lose their chance to claim their airdrop without this being their fault since they tried to claim it in time.
Tools Used
Manual review
Recommendations
The fix of this vulnerbality is maybe a systemic problem of EVM-compatible chains and it is not easy to confront it.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.