Sablier

DeFiFoundry

53,440 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

The assumption made that all the ERC20 asset to have 18 decimal value is incorrect

ak1

Summary

In the current code flow, the assumption is made such that all the ERC20 assets will have 18 decimal.

But this is not valid for all the scenario. for example the following token will have less than 18 decimal.

USDC (USD Coin), USDT (Tether) , GUSD (Gemini Dollar), TUSD (TrueUSD).

Vulnerability Details

In the current code, the broker fee percentages is decided with 18 decimal values.

https://github.com/Cyfrin/2024-05-Sablier/blob/43d7e752a68bba2a1d73d3d6466c3059079ed0c6/v2-core/src/abstracts/SablierV2Lockup.sol#L35-L37

/// @inheritdoc ISablierV2Lockup

UD60x18 public constant override MAX_BROKER_FEE = UD60x18.wrap(0.1e18);

Impact

More amount of base token have to be deposited by the stream sender when they consider the broker fee.

in other words, they have to pay hefty amount of broken fee.

Tools Used

Manual review.

Recommendations

We would suggest to set the MAX_BROKER_FEE inside the constructor based on base asset decimal.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

53,440 USDC

nSLOC

2,655

20 USDC / LOC

High Medium

45,000 USDC

Low

3,100 USDC

Judges

5,340 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.