SablierV2Lockup is not EIP4906 compliant.
Summary
According to EIP4906-specification, the smart contracts that are implementing it must have a supportsInferface(bytes4) function that returns true when called with 0x49064906. But, there in no implementation of supportsInterface(bytes4) function in the SablierV2Lockup contract.
Vulnerability Details
The contract inherits from ERC4906 and ERC721.
But, there is no overridden supportsInterface() function implemented inside the SablierV2Lockup contract.
Impact
When integrating with external protocols like NFT marketplaces, they check for supportsInterface() function with 0x49064906 interface id to make sure that our NFTs supports metadata and batch metadata update.
But in our case, supportsInterface() function is not implemented. Thus, the NFT markets will not update the images and related attributes of the NFTs.
Unlike other NFTs, stream NFTs are different. They contain various attributes like progress, status, amount and duration of the stream. Not updating these attributes for transferable NFTs can lead to recipients honey pot other users while selling/transferring the NFTs and In our case these attributes are never updated.
Tools Used
Manual Analysis
Recommendations
Implement the supportsInterface() function in the SablierV2Lockup contract like the reference implementation suggested by EIP4906 specification.
Lead Judging Commences
Info/Gas/Invalid as per Docs
https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity
supportsInterface() not properly implemented to support ERC4906
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.