Retained Admin Privileges Allow Previous Admin to Cancel Streams on `SablierV2MerkleLockup` contracts
Summary
The SablierV2MerkleLL and SablierV2MerkleLT contracts inherit from SablierV2MerkleLockup, which is Adminable
The Adminable contract has a transferAdmin function, but it does not update the admins of the SablierV2Lockup streams created from SablierV2MerkleLockup because the admin (sender)` of these streams is immutable.
Vulnerability Details
When a protocol uses the SablierV2MerkleLockup contracts to create an airstream, the admin is initially assigned the admin role. However, the current (usually first) admin is also set as the sender in the SablierV2Lockup contract, granting them rights to the SablierV2Lockup::cancel function (if cancalable) and other "admin-only" functions.
Impact
If the protocol admin's private key is compromised, or any other issue arises, using the Adminable::transferAdmin function to transfer admin rights will only change the admin role on the SablierV2MerkleLockup contracts. The previous admin will still retain the ability to cancel all streams and retrieve all refunded amounts on the SablierV2Lockup contract. This is because the admin (sender) of the streams remains immutable, allowing the previous admin to exploit their retained privileges.
Tools Used
Manual Review
Recommendations
Implement a mechanism to update the admin of all streams when using the
Adminable::transferAdminfunction onSablierV2MerkleLockup.
Lead Judging Commences
Admin changing functionality allows former admin access and does not give new admin access to some functionality
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.