Sablier

DeFiFoundry

53,440 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

Tokens symbol containing a double quote breaks the NFT JSON payload

greed

Impact

The JSON payload of the NFT representing the stream is partially broken

Proof of concept

The NFT tokenURI is a JSON payload that includes the underlying ERC20 token's symbol in multiple places.

The format of a JSON payload is composed of double quotes (") to represent the keys ({"key" : ...}) of the data but also the data itself when it is a string ({"key" : "I am a string"}).

Injecting a " in the data string can mess up the JSON payload due to an un-equivalent number of double quotes, potentially making it impossible to parse or even worse, changing the payload itself which could lead to honey-pot attacks, phishing attacks...

Since the SablierV2NFTDescriptor::safeAssetSymbol() function replaces the ERC20 token symbol in case it is too big, the surface attack is restricted but the fact that the tokenURI can be broken MUST be considered.

The below is a proof of concept that demonstrates what an attacker could do by creating an ERC20 token with a malicious symbol.

Modify the symbol of the Mock ERC20 token in v2-core/test/Base.t.sol on line 58 like such (pick one or the other) :

58: dai = new ERC20Mock("Dai Stablecoin", "DAI\"BROKEN"); // Simply breaks the JSON

58: dai = new ERC20Mock("Dai Stablecoin", "\",\"value\":\"Injected"); // Partially changes the JSON

Add the following test to v2-core/test/integration/concrete/lockup-dynamic/token-uri/tokenURI.t.sol

function test_Broken_TokenURI() external skipOnMismatch givenNFTExists {

string memory tokenURI = lockupDynamic.tokenURI(defaultStreamId);

tokenURI = vm.replace({ input: tokenURI, from: "data:application/json;base64,", to: "" });

string memory actualDecodedTokenURI = string(Base64.decode(tokenURI));

string memory filename = "broken.json";

vm.writeFile(filename, actualDecodedTokenURI);

}

The test will write the JSON payload of the NFT in v2-core/broken.json which we can open in our browser (Firefox) and notice it is malformed

SyntaxError: JSON.parse: expected ',' or '}' after property value in object at line 1 column 48 of the JSON data

Recommended mitigation steps

Modifiy the SablierV2NFTDescriptor::safeAssetSymbol() function to make sure it escapes every special characters in the token symbol and token name, especially the \ and " characters

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

SVG Injection

Prize pool breakdown

Total prize

53,440 USDC

nSLOC

2,655

20 USDC / LOC

High Medium

45,000 USDC

Low

3,100 USDC

Judges

5,340 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.