Sablier

Summary

SablierV2MerkleLockupFactory uses new as a vehicle for airdrop contract deployment. Airdrop funds are then supposed to be transferred in separate transaction. Attacker can use mempool reordering or block reorg to create airdrop contract with same address, but with himself as admin, and then use clawback to steal funds.

Vulnerability Details

new contract construction has deterministic smart contract address generation as follows.

new_address = keccak256(sender, nonce)

In this case, SablierV2MerkleLockupFactory is used for creation of new contract as a sender, with it's relevant nonce.

Suppose Alice wants to create new airdrop contract, and uses createMerkleLL or createMerkleLT and then sends airdrop funds to new contract address, which is known to her in next transaction in close succsession.

Attacking Bob sees those transactions in mempool and uses createMerkleLL or createMerkleLT with himself as admin in baseParams. The address will be the same as Alice's. He then uses Flashbots or other reoreding method to insert his tx before Alice's.

He then uses clawback function to steal airdrop funds.

See https://github.com/code-423n4/2023-08-pooltogether-findings/issues/31 for similar attack vector.

Impact

High as this is direct loss of funds, but probably reduced to MEDIUM due to specific attack conditions.

Tools Used

Manual review

Recommendations

Use create2 to fix address with Alice's parameters or require funds transfer in create sequence.