Sablier
Sablier
DeFiFoundry
53,440 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Senders and recipients can prevent functionalities by consuming maximum gas in callbacks

bladesec

Summary

When senders and/or recipients become malicious they can consume maximum available gas in callbacks to prevent other party from executing some functionalities

Vulnerability Details

When core actions happen like renounce, withdraw, or cancel, the callbacks of senders and/or recipients are called so that they can do custom actions in callbacks.
However, there's no gas limit passed to these callbacks, which exposes a vulnerability to consume maximum available gas in callbacks to prevent executions of features.

Impact

  • When senders become malicious, they consume maximum gas on onLockupStreamWithdrawn callback to prevent recipients from withdrawing assets

  • When recipients become malicious, they consume maximum gas on onLockupStreamRenounced to prevent renounce action and onLockupStreamCanceled to prevent cancel action by senders.

Tools Used

Manual Review

Recommendations

When callbacks are called, maximum gas amount has to be passed so that they do not consume gas more than the given amount.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Known issue
Assigned finding tags:

Known - Contest Details

https://www.codehawks.com/contests/clvb9njmy00012dqjyaavpl44

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.