Use SafeMint instead of mint
Summary
When minting NFT for a particular stream, the contract uses the mint function to mint NFT to the receiver address.
Vulnerability Details
We are submitting this issue since bot report did not mentioned all the place where the mint is used.
The bot report mention only the SablierV2LockupTranched.sol contract.
But the mint function is used in other places such as SablierV2LockupDynamic.sol and SablierV2LockupLinear.sol
When a stream is created, NFT is minted to the receiver address who will use it to receive the funds from the stream sender.
Sablier has the following type of streams, SablierV2LockupDynamic.sol and SablierV2LockupLinear.sol and SablierV2LockupTranched.sol
For example,
SablierV2LockupDynamic.sol#L353-L358
Impact
Using ERC721::_mint() can mint ERC721 tokens to addresses which don't support ERC721 tokens, while ERC721::_safeMint() ensures that ERC721 tokens are only minted to addresses which support them. OpenZeppelin discourages the use of _mint().
Tools Used
Manual review
Recommendations
Use _safeMint() instead of _mint() for ERC721. Also, add re-entrance protection guard.
Lead Judging Commences
Known - LightChaser
https://github.com/Cyfrin/2024-05-Sablier/issues/1
Known - LightChaser
https://github.com/Cyfrin/2024-05-Sablier/issues/1
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.