Sablier

DeFiFoundry

53,440 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

The lack of input parameter sanitization in V2Merkle contracts prevents anyone from claiming airstreams

0x0bserver

Summary

The lack of input parameter sanitization in V2Merkle contracts prevents anyone from claiming airstreams.

Vulnerability Details

3 contracts are affected with this bug:

SablierV2MerkleLL:
In this contract, a malicious creator can exploit the streamDurations_ variable. By setting the total variable in the streamDurations_ struct to 0, the creation of a Lockup Linear stream becomes impossible. This parameter causes the timestamps.start and timestamps.end to always be equal, resulting in a revert:

if (timestamps.start >= timestamps.end) {

-> revert Errors.SablierV2LockupLinear_StartTimeNotLessThanEndTime(timestamps.start, timestamps.end);

}

As a result, no Lockup Linear stream can be created.

SablierV2MerkleLT:
In this contract, a malicious creator can manipulate the unlockPercentage variable within the TrancheWithPercentage struct. By inputting a value like 1.1e18, representing a percentage greater than 100%, the calculatedAmountsSum variable will exceed the calculatedAmount variable in the _calculateTranches function. This situation renders the creation of any Lockup Tranched stream impossible and results in a revert.

assert(calculatedAmountsSum <= claimAmount);

As a result, no Lockup Tranched stream can be created.

SablierV2MerkleLockupFactory:
In this contract, a malicious creator can apply the same manipulation as described in point 1 to the createMerkleLL function. This action once again makes it impossible to create any Lockup Linear streams.

As observed in all three cases, recipients are unable to claim their tokens even after the contract has been deployed.

Impact

Due to the aforementioned issue, the SablierV2MerkleLL, SablierV2MerkleLT and SablierV2MerkleLockupFactory contracts are affected.

A malicious creator can set parameters in such a way that recipients cannot create a Lockup stream and thus cannot claim any tokens. Due to the lack of input parameter sanitization, SablierV2MerkleLL and SablierV2MerkleLT contracts can be created even when the parameters provided by the malicious creator do not allow the creation of any Lockup Streams. Because these two contracts can be deployed, a malicious creator can mislead recipients into believing in the fairness of their airdrop, thus exploiting the recipients.

In the case of the SablierV2MerkleLockupFactory contract, although the createMerkleLT function has logic to prevent incorrect parameters, the createMerkleLL function does not. This allows the malicious creator to exploit this vulnerability once again.

Tools Used

Manual Review

Recommendations

Incorporate the checkCreateLockupLinear and checkCreateLockupTranched functions from the helper contract into the constructors of the SablierV2MerkleLL and SablierV2MerkleLT contracts respectively, to ensure these contracts are created only with valid parameters.

Updates

Lead Judging Commences

inallhonesty Lead Judge

about 1 year ago

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

0x0bserver Submitter

about 1 year ago

Prize pool breakdown

Total prize

53,440 USDC

nSLOC

2,655

20 USDC / LOC

High Medium

45,000 USDC

Low

3,100 USDC

Judges

5,340 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.