Sablier
Sablier
DeFiFoundry
53,440 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

There is no way to recover funds if the stream recipient doesn't or is unable to claim streamed amount.

0xsandy

Summary

There is no way to recover funds if the stream recipient doesn't or is unable to claim streamed amount.

Vulnerability Details

When creating a stream, all the funds are deposited by the stream sender inside the Lockup contracts i.e LockupDynamic, LockupLinear and LockupTranched. These funds are released over time for the recipient to withdraw as per the type of stream.

params.asset.safeTransferFrom({ from: msg.sender, to: address(this), value: createAmounts.deposit });

The problem is recipient is a single point for failure. Meaning, recipient can't be changed when created.
Suppose

  1. Stream NFT is non transferable.

  2. USDC/USDT is deposited as asset, the recipient gets blacklisted, the streamed funds are stuck forever.

Impact

Funds may get stuck inside the contract forever.

Tools Used

Manual Analysis

Recommendations

Have a functionality like clawback() function in the SablierV2MerkleLockup.sol where the stream sender is able to recover streamed but not withdrawn funds after certain time from when the stream ends. Let's say about a year from when the stream ends.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Info/Gas/Invalid as per Docs

https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.