ERC20 with Blacklist feature can block the cancel functionality
Summary
SablierV2Lockup._cancel() won't be able to send assets back to the sender if he is added to the ERC20 blacklist (applies to tokens like USDT).
Vulnerability Details
Within the core logic of SablierV2Lockup._cancel(), it's expected that the amount that was not streamed yet will be refunded to the sender. However, since the sender can't specify an alternative address, _cancel() will always revert if his address is blacklisted. Thus, blocking this functionality.
https://github.com/Cyfrin/2024-05-Sablier/blob/43d7e752a68bba2a1d73d3d6466c3059079ed0c6/v2-core/src/abstracts/SablierV2Lockup.sol#L595-L599
SablierV2Lockup is inherited by SablierV2LockupDynamic, SablierV2LockupLinear, and SablierV2LockupTranched thus, affecting all types of streams. Plus, _cancel() is called by SablierV2Lockup.cancel() and SablierV2Lockup._cancelMultiple().
Impact
Since the protocol allows any ERC20 token to be used, a malicious actor can prevent the sender to cancel a stream, if the latter created one using an asset that allows blacklisting.
Tools Used
Manual review
Recommended Mitigation
Add the option to specify an alternative address in _cancel(), similar to what is implemented for _withdraw(). Alternatively, do not send tokens to the sender but implement a workflow for them to withdraw them instead.
Lead Judging Commences
Info/Gas/Invalid as per Docs
https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity
Info/Gas/Invalid as per Docs
https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.