Sablier
Sablier
DeFiFoundry
53,440 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Sender can create non-withdrawable streams by abusing `updateMetadata` modiefier

vesla0x1

Summary

A sender can create a non-withdrawable stream by abusing the unlimited gas on the SablierV2Lockup.sol::onLockupStreamWithdrawn hook and the updateMetadata modiefier

Vulnerability Details

Similarly to the finding 3.2.1 in the previous audit, the sender can create a callback that will revert the withdraw function due to OOG.

Impact

Receivers can be fooled and never withdraw their tokens due to the DoS caused by the OOG that can occur if the sender create a too expensive onLockupStreamWithdrawn callback.

Tools Used

manual review

Recommendations

Same as previous audit. Change the updateMetadata modifier to emit events before the function be executed, not after.

Updates

Lead Judging Commences

inallhonesty Lead Judge
about 1 year ago
inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Withdraw DoS enabled by external call and `updateMetadata` modifier

0xnevi Judge
about 1 year ago
inallhonesty Lead Judge
about 1 year ago
vesla0x1 Submitter
about 1 year ago
vesla0x1 Submitter
about 1 year ago
inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Known issue
Assigned finding tags:

Withdraw DoS enabled by external call and `updateMetadata` modifier

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.