Default Transferability Assumption in Sablier V2 NFT Descriptor
Summary
the bug is in the assumption that streams are transferable by default if the isTransferable function is not found
Vulnerability Details
The vulnerable part :
The contract assumes that streams are transferable if the isTransferable function does not exist or the call fails.
An attacker can exploit this assumption by transferring streams that are mistakenly deemed transferable due to the absence or failure of the isTransferable function. This could happen in older deployments where this function is missing.
Here is a scenario details the issue :
let’s that Alice Creates a Stream to transfer 3000 DAI to Bob over January.
Alice assumes the stream is non-transferable because the older version of the contract she uses does not implement isTransferable.
and Bob Assumes Control wants to check if he can transfer the stream to another account.
The isTransferable function does not exist in the version of the contract Alice used.
The contract defaults to true, assuming the stream is transferable as here :
so Bob successfully transfers the stream to a new address.
so Alice realizes that her funds are now controlled by an unintended recipient because of the incorrect default assumption of transferability
Impact
Users may unknowingly transfer streams that they assumed were non-transferable and
Unintended recipients might gain control over streams, leading to possible financial losses
Tools Used
Manual review
Recommendations
Need that the contract should default to
non-transferable if the isTransferable function is not found
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.