Sablier
Sablier
DeFiFoundry
53,440 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

No enforcement of Airstream funding can cause race conditions, MEV incentivisation and user loss

BiasedMerc

Summary

When an Airstream is created there is no requirement for funds to be added straight away to allow claims. There is also no requirement that the Airstream has to be fully funded when it receives funds, it can be funded for any amount the target asset allows.

This creates an issue of where claimers are incentivised to monitor the Airstream for incoming funds and to back-run the funding transaction to ensure they can claim their rewards before others use up the added funds. This creates an unfair advantage for some users with monitoring tools and creates a race condition between users who are trying to beat each other to claim first to ensure their claim succeeds.

Vulnerability Details

SablierV2MerkleLockupFactory::createMerkleLL()

function createMerkleLL(
MerkleLockup.ConstructorParams memory baseParams,
ISablierV2LockupLinear lockupLinear,
LockupLinear.Durations memory streamDurations,
uint256 aggregateAmount,
uint256 recipientCount
)
external
returns (ISablierV2MerkleLL merkleLL)
{
// Deploy the MerkleLockup contract with CREATE.
merkleLL = new SablierV2MerkleLL(baseParams, lockupLinear, streamDurations);
// Log the creation of the MerkleLockup contract, including some metadata that is not stored on-chain.
emit CreateMerkleLL(merkleLL, baseParams, lockupLinear, streamDurations, aggregateAmount, recipientCount);
}

Upon Airstream creation there is no requirement for funding, partial or full.

Users can interact completely with the Airstream without utilising the the Sablier UI, as the ipfsCID is within the Airstream creation transaction allowing a user to directly access the merkle proof data there, sepolia example:

Airstream Deploy

IPFS Merkle Data

Meaning that users can utilise flashbots or similar services to monitor for funding transactions to the Airstream contract and backrun them, ensuring they are first or one of the first to claim before funds run out.

Impact

No enforcement of Airstream funding on deployment means that Airstreams can be partially funded at any time. This incentivises MEV backrunning (Flashbots and other similar platforms, to ensure your transaction is as close to the funding transaction as possible) or general contract monitoring to allow sophisticated users to claim their rewards before others, creating a race condition between users as all users will be racing against each other to claim rewards. Some users will be able to claim the rewards, whilst others will be unable to claim and will not receive any rewards.

Tools Used

Manual Review

Recommendations

To ensure that Sablier provides a fair system for all users utilising the protocol (admins and claimers), apply the following changes:

Ensure Airstreams are fully funded before claim start and provide a function for admins to start the claim process, at which the grace period starts. Admins should be able to withdraw funds before the grace period ends, by cancelling the airstream fully. This ensures Admins keep full control of funds and grace period, whilst preventing the negative experience to claimers and incentives to MEV back-running.

Otherwise, add warning for users in the documentation and on the Airstream UI, informing users that the Airstream is partially funded. Currently a user can see the balance in the contract and can compare to the total distribution amount, however there is no real warning that this can cause losses to the user if the funds run out.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.