Sablier
Sablier
DeFiFoundry
53,440 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

The function _update didn't heck if he `address to` is the same as the `_ownerOf(streamId)`

tobezzi

Summary

The function _update is used to switch the owner of the stream, and if the owner decides to put themselves as new owner it won't flag them. This is because they were no to check if the recipient address is the same as the owner of the stream. This is not a bug but a logic error.

Vulnerability Details

The logic error makes the update function almost useless, because if the previous owner and current owner of a stream are the same, then there is no point for it.
For instance,

  • a boss employ bob

  • Boss create a 12 months payroll stream that is not cancellable

  • Bob works for 9 months

  • Bob wants to quit

  • Boss gets Alice to take over

  • Boss ask Bob to transfer ownership

  • Bob agrees but transfer to himself to take 10Th month pay

  • Boss not happy

function _update(
address to,
uint256 streamId,
address auth
)
internal
override
updateMetadata(streamId)
returns (address)
{
address from = _ownerOf(streamId);
@> if (from != address(0) && to != address(0) && !_streams[streamId].isTransferable) {
revert Errors.SablierV2Lockup_NotTransferable(streamId);
}

Impact

This logic error affects the smart contract if the user wants to continue receiving the stream deposit instead of transferring it to another user they might do so.

Lets say Bob employ Alice for contract time.
Alice works for a

Tools Used

manual

Recommendations

Add an extra check to the if statement

+ if (from != address(0) && to != address(0) && !_streams[streamId].isTransferable && from != to) {
revert Errors.SablierV2Lockup_NotTransferable(streamId);
}
Updates

Lead Judging Commences

inallhonesty Lead Judge
about 1 year ago
inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.