Summary

https://github.com/Cyfrin/2024-05-Sablier/blob/43d7e752a68bba2a1d73d3d6466c3059079ed0c6/v2-core/src/abstracts/SablierV2Lockup.sol#L630-L656

If one withdrawer is blacklisted by USDC, this creates a DOS on _withdraw().

Vulnerability Details

`/// @dev See the documentation for the user-facing functions that call this internal function.
function _withdraw(uint256 streamId, address to, uint128 amount) internal {
// Effect: update the withdrawn amount.
_streams[streamId].amounts.withdrawn = _streams[streamId].amounts.withdrawn + amount;

    // Retrieve the amounts from storage.
    Lockup.Amounts memory amounts = _streams[streamId].amounts;

    // Using ">=" instead of "==" for additional safety reasons. In the event of an unforeseen increase in the
    // withdrawn amount, the stream will still be marked as depleted.
    if (amounts.withdrawn >= amounts.deposited - amounts.refunded) {
        // Effect: mark the stream as depleted.
        _streams[streamId].isDepleted = true;

        // Effect: make the stream not cancelable anymore, because a depleted stream cannot be canceled.
        _streams[streamId].isCancelable = false;
    }

    // Retrieve the ERC-20 asset from storage.
    IERC20 asset = _streams[streamId].asset;

    // Interaction: perform the ERC-20 transfer.
    asset.safeTransfer({ to: to, value: amount });

    // Log the withdrawal.
    emit ISablierV2Lockup.WithdrawFromLockupStream(streamId, to, asset, amount);
}`

Impact

As withdrawals need to be performed in order(eg. for an airdrop), all subsequent calls to _withdraw() will revert because of this usdc blacklist. Stuck funds and DoS for the system.
Users may not be able to receive their token because they are blacklisted.

Tools Used

Manual Review

Recommendations

Use a try/catch block for the USDC transfers in _withdraw(), so that it the user is blacklisted, it is caught and that user is simply ignored.
Also find a way to pay blacklist recipient for their honest work (ie. do not use blacklisted token)