Summary

In the constructor, if MAX_SEGMENT_COUNT is equal to 0, it will result in a DOS when creating the Lockup Dynamic stream. P.S.: Although this is an operation performed by the deployer, mistakes can occur during the actual process. If 0 is accidentally inputted, it will prevent the successful creation of the Lockup Dynamic stream.

Similarly, in SablierV2LockupTranched.sol, MAX_TRANCHE_COUNT cannot be set to 0 when creating a Lockup Tranched Stream. The reason is the same as described above.

Vulnerability Details

1. When calling _create, the check Helpers.checkCreateLockupDynamic(createAmounts.deposit, params.segments, MAX_SEGMENT_COUNT, params.startTime); is performed.

2. In checkCreateLockupDynamic:

   • uint256 segmentCount = segments.length; if (segmentCount == 0) { revert Errors.SablierV2LockupDynamic_SegmentCountZero(); }

   • if (segmentCount > maxSegmentCount) { revert Errors.SablierV2LockupDynamic_SegmentCountTooHigh(segmentCount); }

3. If the deployer mistakenly sets MAX_SEGMENT_COUNT to 0, the condition segmentCount > maxSegmentCount will succeed, leading to a revert and causing a DOS when creating the Lockup Dynamic stream.

Impact

If MAX_SEGMENT_COUNT is set to 0, it will not be possible to create the Lockup Dynamic stream successfully.

Tools Used

Manual Review

Recommendations

It is recommended to add a conditional check in this constructor to require that maxSegmentCount cannot be equal to 0.And setting a reasonable value