Sablier

Summary

Sablier implements several callback functions that are invoked during renounce, withdraw, and cancel operations if the sender or recipient is a contract. These are placed in try/catch blocks, which means that if a callback function reverts, it will not cause the main transaction to revert. The problem is that a malicious user can calculate the exact amount of gas needed to execute the corresponding function so that there isn't enough gas left for the callback functions to be executed. This will not cause the main transaction to revert due to the 1/64 gas rule. This renders these callback functions useless. If critical functionalities for the sender/recipient are implemented within them, the impact could be high. It should also be noted that withdraw can be executed without restrictions by a third-party user different from the sender/recipient, with the aim of preventing the callback functions from being executed and harming the respective users. Finally, I want to note that this is a different attack vector than the 'gas bomb' attack explained in the known issues section.

Vulnerability Details

Above.

Impact

Malicious user may bypass the execution of the callback functions, bypassing potentially critical functionality implemented in them.

Tools Used

Manual review

Recommendations

My advice is to consider to revert the main transaction in case of OOG issues in order to assure that these callback function will be always executed.