Sablier

Summary

Malicious lockupLinear, lockupDynamic and lockupTranched contract addresses can be passed in SablierV2BatchLockup, SablierV2MerkleLT and SablierV2MerkleLL contract.

Vulnerability Details

There are three additional instances of this bug beyond the one outlined in the Known Issues section of the documentation. These instances are as follows:

SablierV2BatchLockup: This contract permits any creator to input arbitrary contract addresses for lockupLinear, lockupDynamic, and lockupTranched. No checks are in place to verify whether these contract addresses point to the protocol's contracts or not.

SablierV2MerkleLT and SablierV2MerkleLL: Both of these contracts also enable any creator to input arbitrary contract addresses for lockupTranched and lockupLinear, respectively.

This loophole allows a malicious actor to inject malicious code into their version of Lockup contracts, which they can easily pass off as legitimate.

Impact

An attacker could substitute their own contract address for the protocol's lockup contracts, potentially inserting malicious code. This could deceive recipients into believing their lockup stream is legitimate, allowing the attacker to steal funds from unsuspecting recipients.

One such approach is as follows:

1. Attacker creates a malicious SablierV2LockupLinear contract containing a condition where recipients can only withdraw tokens if they approve the address for an equivalent amount of tokens.

2. Attacker can then steal some funds after a certain period.

Tools Used

Manual Review

Recommendations

The constructor arguments should include addresses for the lockupLinear, lockupDynamic, and lockupTranched contracts. Only admin should have access to change these contract addresses.