Sablier

Sablier
DeFiFoundry
53,440 USDC
View results
Submission Details
Severity: medium
Invalid

Default Transferability Assumption in Sablier V2 NFT Descriptor

Summary

  • the bug is in the assumption that streams are transferable by default if the isTransferable function is not found

Vulnerability Details

The vulnerable part :

The contract assumes that streams are transferable if the isTransferable function does not exist or the call fails.

(vars.success, vars.returnData) = address(vars.sablier).staticcall(abi.encodeCall(ISablierV2Lockup.isTransferable, (streamId)));
// When the call has failed, the stream NFT is assumed to be transferable.
vars.isTransferable = vars.success ? abi.decode(vars.returnData, (bool)) : true;

An attacker can exploit this assumption by transferring streams that are mistakenly deemed transferable due to the absence or failure of the isTransferable function. This could happen in older deployments where this function is missing.

  • Here is a scenario details the issue :

  • let’s that Alice Creates a Stream to transfer 3000 DAI to Bob over January.

  • Alice assumes the stream is non-transferable because the older version of the contract she uses does not implement isTransferable.

  • and Bob Assumes Control wants to check if he can transfer the stream to another account.

  • The isTransferable function does not exist in the version of the contract Alice used.

  • The contract defaults to true, assuming the stream is transferable as here :

vars.isTransferable = vars.success ? abi.decode(vars.returnData, (bool)) : true;
  • so Bob successfully transfers the stream to a new address.

  • so Alice realizes that her funds are now controlled by an unintended recipient because of the incorrect default assumption of transferability

Impact

Users may unknowingly transfer streams that they assumed were non-transferable and
Unintended recipients might gain control over streams, leading to possible financial losses

Tools Used

Manual review

Recommendations

Need that the contract should default to
non-transferable if the isTransferable function is not found

Updates

Lead Judging Commences

inallhonesty Lead Judge
about 1 year ago
inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.