Sablier

Impact

Creating a SablierV2MerkleLL or SablierV2MerkleLT contract using SablierV2MerkleLockupFactory is not necessary as it is not stored in the factory contract.

This results in SablierV2MerkleLockupFactory being useless as users could simply deploy their own SablierV2Merkle contracts.

Proof of concept

Usually, a factory contract stores the contracts it creates in its storage in order for the dApp to easily retrieve the legitimate contracts deployed.

Users would trust the contracts displayed on the web interface as it is shown by Sablier on which they rely.

Since that is not the case, SablierV2MerkleLockupFactory simply acts as a helper contract and it doesn't enforce users to create their SablierV2Merkle from the factory.

In this case, a potential error can occur in SablierV2MerkleLT as it does not check that the supplied tranche percentages add up to 100% which was supposed to be done by the factory.

Recommended mitigation steps

Add a storage variable in SablierV2MerkleLockupFactory which is responsible for tracking the contracts created by it.

In case it is a design choice to not track the contracts created by the factory, the SablierV2MerkleLT's constructor should verify the tranchesWithPercentages variable adds up to 100%.