Sablier

DeFiFoundry

53,440 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Lack of Explicit Checks for Approval of Non-Existent Owners or Operators in the SablierV2Lockup contract

lordofterra

Summary

The cancel, burn, and withdraw functions rely on the _isCallerStreamRecipientOrApproved function to verify whether the caller (msg.sender) is authorized to perform the action. However, _isCallerStreamRecipientOrApproved does not explicitly check if the recipient (owner) or the operator exists. This oversight can lead to scenarios where approvals are set for non-existent addresses, causing potential security risks.

Proof of concept

Checking approval for a non-existent owner.

function testNonExistentOwnerApproval() public {

address nonExistentOwner = address(0x123); // Assuming this address has no tokens

address operator = address(this);

// Expecting false since the owner does not exist

bool isApproved = contractInstance.isApprovedForAll(nonExistentOwner, operator);

assert(!isApproved);

}

Checking approval for a non-existent operator.

function testNonExistentOperatorApproval() public {

address owner = address(0x456); // Assuming this address owns some tokens

address nonExistentOperator = address(0x789); // Assuming this address is not an operator

// Expecting false since the operator does not exist

bool isApproved = contractInstance.isApprovedForAll(owner, nonExistentOperator);

assert(!isApproved);

}

Checking approval for zero address as owner or operator.

function testZeroAddressApproval() public {

address zeroAddress = address(0);

address operator = address(this);

// Expecting false since the owner is the zero address

bool isApprovedForZeroOwner = contractInstance.isApprovedForAll(zeroAddress, operator);

assert(!isApprovedForZeroOwner);

address owner = address(0x456); // Assuming this address owns some tokens

// Expecting false since the operator is the zero address

bool isApprovedForZeroOperator = contractInstance.isApprovedForAll(owner, zeroAddress);

assert(!isApprovedForZeroOperator);

}

Impact

The function may return false for non-existent addresses, which is generally safe but can lead to confusion or unexpected behavior.
If the contract logic assumes the existence of an owner or operator without validation, it could potentially be exploited in edge cases or during complex interactions.

Tools Used

Manual review

Recommendations

Implement explicit checks to ensure that both the owner and operator addresses exist before performing approval checks. This can be done by verifying that the addresses are not zero and that they are valid within the context of the contract.

Here is an example function that implements the various checks

function isApprovedForAll(address owner, address operator) public view virtual override returns (bool) {

require(owner != address(0), "Owner address is zero");

require(operator != address(0), "Operator address is zero");

return _operatorApprovals[owner][operator];

}

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

53,440 USDC

nSLOC

2,655

20 USDC / LOC

High Medium

45,000 USDC

Low

3,100 USDC

Judges

5,340 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.