Sablier

Summary

Every stream has a sender, who acts as the administrator of the respective stream and has the right to execute the cancel function (if the stream is cancellable) and thus retrieve the funds that have not yet been streamed at that moment.

When creating an airstream campaign in the SablierV2MerkleLL and SablierV2MerkleLT contracts, an admin is set, which is subsequently passed as the sender when claim function is called and stream is created. These two contracts inherit a common contract, SablierV2MerkleLockup, where there is a function to change the admin address.

In the known issues section, it is mentioned that it is known that when changing the admin, the callback functions of the existing streams will pass the old admin. However, this is not the main issue arising from the fact that the admin (sender) cannot be changed in existing streams. The main problem is that the creator of the airstream campaign is a user of the protocol, hence, not trusted. Therefore, we can assume that it is possible under certain circumstances for the account provided as the admin to be compromised. In such a case, it is logical for the campaign creator to transfer the administrative rights to another account as quickly as possible. However, the problem is that there is no way to change the sender of existing streams, and therefore the compromised account can be used to withdraw the remaining funds in the streams using the cancel stream feature.

Vulnerability Details

Above.

Impact

Loss of funds for the users under certain circumstances.

Tools Used

Manual review

Recommendations

My advice is to consider implementing the ability the change the sender of an existing stream.