Fjord Token Staking

Summary

Malicious actors can withdraw tokens of vested Sablier stream directly to the FjordStaking contract by setting the to parameter of SablierV2Lockup::withdraw() function to the address of the FjordStaking contract. Since theFjordStaking contract does not track these withdrawals, the tokens become locked.

Vulnerability Details

The SablierV2Lockup::withdraw() and SablierV2Lockup::withdrawMax() functions allow anyone to withdraw tokens from a vested Sablier stream to the owner of Sablier stream.

Here’s how the issue arises:

1. The malicious actor calls withdraw() or withdrawMax() with the to parameter set to the FjordStaking contract address.

2. The contract checks if the to address matches the recipient (the stream owner, which is the FjordStaking contract in this case) or if the caller is an approved party:
   SablierV1Lockup::withdraw()#L375

   address recipient = _ownerOf(streamId);

   ​

   // Check: if `msg.sender` is neither the stream's recipient nor an approved third party, the withdrawal address

   // must be the recipient.

   >> if (to != recipient && !_isCallerStreamRecipientOrApproved(streamId)) {

   revert Errors.SablierV1Lockup_WithdrawalAddressNotRecipient(streamId, msg.sender, to);

   }

3. Since the FjordStaking contract is the stream owner, the validation passes, and the tokens are withdrawn to the FjordStaking contract.

4. However, the FjordStaking contract does not track these withdrawn tokens or allocate them to the correct stakers.

Root Cause: Sablier allows anyone to withdraw tokens of a stream to the stream owner, but the FjordStaking contract does not track the withdrawn tokens for stakers to handle this scenario.

Impact

When users unstake their vested Sablier streams, they cannot receive the withdrawn tokens, which become permanently locked in the FjordStaking contract.

Tools Used

vscode

Recommendations

Tracks the withdrawn tokens of vested Sablier stream, send these tokens to stakers when they unstake the vested steams.