Sablier
Sablier
DeFiFoundry
53,440 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

`SablierV2MerkleLT` & `SablierV2MerkleLL` would always fail during deployment for some to-be-integrated assets

bauchibred

Summary

The constructors for the SablierV2MerkleLL and SablierV2MerkleLT contracts attempt to max approve the Sablier contract to spend funds using uint256.max, which fails for tokens that cannot handle such large approvals. This issue contradicts the protocol's claim of compatibility with any ERC20 token, as some tokens revert on large value approvals. As a result, the deployments of these contracts will fail for such tokens, disrupting the connection between the Merkle contracts and the LOCKUP_LINEAR contract, thereby breaking functionality.

Vulnerability Details

Take a look at https://github.com/Cyfrin/2024-05-Sablier/blob/43d7e752a68bba2a1d73d3d6466c3059079ed0c6/v2-periphery/src/SablierV2MerkleLT.sol#L55-L57

constructor(
//snip
// Max approve the Sablier contract to spend funds from the MerkleLockup contract.
ASSET.forceApprove(address(LOCKUP_TRANCHED), type(uint256).max);
}

Also https://github.com/Cyfrin/2024-05-Sablier/blob/43d7e752a68bba2a1d73d3d6466c3059079ed0c6/v2-periphery/src/SablierV2MerkleLL.sol#L50-L53

constructor(
//snip
// Max approve the Sablier contract to spend funds from the MerkleLockup contract.
//@audit this would always fail for tokens that can't approve uint256.max
ASSET.forceApprove(address(LOCKUP_LINEAR), type(uint256).max);
}

These are the currently implemented constructors for both the SablierV2MerkleLL& SablierV2MerkleLT contracts, issue is that the attempt at approving uint256.max would always fail for supported tokens.

Now from the contest's readMe, protocol have stated to be compatible with any ERC20 token, albeit they listed a few properties/assumptions that must be held, none of this assumption showcases that tokens that revert on large value approvals are not integrated.

Now in the case where the integrated tokens does not allow for large approvals like UNI/ COMP then this attempt to force approve type(uint256).max could fail.

Impact

Failure in constructing both the SablierV2MerkleLL& SablierV2MerkleLT contracts for some to be integrated assets in the case where they revert on large approvals.

Would be key to note that this easily translates to a broken connection between " SablierV2MerkleLL& SablierV2MerkleLT" and the LOCKUP_LINEARcontract, since in the latter (SablierV2LockupLinear) there is no attempt of these max approvals before transferring the assets value to both the contract ant the broker fee collector, but the former always has this which would break the functionality for this asset.

Tools Used

Manual review

Recommendations

Consider outrightly stating that these sort of tokens are not supported.

Additional Note

Depending on the end ERC20 to be integrated, in some cases approvals of a large value would revert which would mean the attempt at deploying would always fail, in some other cases however the the token then sets a predetermined max native to them whenever type(uint256).max) is passed as the approval value like in UNI.

Updates

Lead Judging Commences

inallhonesty Lead Judge
about 1 year ago
inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement
Assigned finding tags:

ERC20 UNI and COMP Revert on Large Approvals

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.