Sablier

Summary

The SablierV2 contracts employ casting of block.timestamp to uint40, which can significantly reduce the lifespan of the contract due to the limited range of the uint40 type. This report identifies the specific instances where this casting occurs and provides recommendations to avoid potential future functionality issues.

Vulnerability Details

The vulnerability is due to casting block.timestamp to uint40 in various parts of the SablierV2 contracts. The uint40 type can hold values up to (2^{40} - 1), which is significantly smaller than the range of uint256 used by block.timestamp. This casting can lead to overflow issues once the block timestamp exceeds the maximum value uint40 can hold, potentially causing incorrect behavior or failures.

The specific instances of this issue are as follows:

1. SablierV2LockupDynamic.sol

   File: v2-core/src/SablierV2LockupDynamic.sol

   ​

   156 startTime: uint40(block.timestamp),

   193 uint40 blockTimestamp = uint40(block.timestamp);

   223 uint40 blockTimestamp = uint40(block.timestamp);

   285 SD59x18 elapsedTime = (uint40(block.timestamp) - _streams[streamId].startTime).intoSD59x18();

   Source
   Source
   Source
   Source

2. SablierV2LockupLinear.sol

   File: v2-core/src/SablierV2LockupLinear.sol

   ​

   135 timestamps.start = uint40(block.timestamp);

   Source

3. SablierV2LockupTranched.sol

   File: v2-core/src/SablierV2LockupTranched.sol

   ​

   151 startTime: uint40(block.timestamp),

   184 uint40 blockTimestamp = uint40(block.timestamp);

   Source
   Source

Impact

Casting block.timestamp to uint40 can lead to overflow issues once the block timestamp exceeds the maximum value that uint40 can hold. This can cause:

• Incorrect time calculations and logic errors.

• Potential failures in contract execution.

• Reduced lifespan and reliability of the contract.

Tools Used

• Manual code review

Recommendations

Remove Casting to uint40: Avoid casting block.timestamp to uint40 and use uint256 directly to store timestamps.