Fjord Token Staking

Fjord

DeFiFoundry

20,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Cancellable Saliber streams can be cancel without calling the `onStreamCanceled`

joshuajee

Summary

The protocol uses a version of Sablier that has a vulnerability with cancellable streams, what this means is that streams can be canceled without calling the onStreamCanceled hook.

You can see more on this issue here https://codehawks.cyfrin.io/c/2024-05-Sablier/s/181

Vulnerability Details

When users staked their Sablier they called the stakeVestedfunction, this function stakes the NFT and transfers it to the staking contract. This function accepts Sablier streams that are cancellable this means the sender can decide to cancel the stream if they feel the recipient is breaking their agreement. When streams are canceled on Sablier, it calls the onStreamCanceled function on the current NFT owner address, which is the staking contract for staked Sablier streams. The onStreamCanceled function unstakes the NFT.

function onStreamCanceled(

uint256 streamId,

address sender,

uint128 senderAmount,

uint128 /*recipientAmount*/

) external override onlySablier checkEpochRollover {

address streamOwner = _streamIDOwners[streamId];

if (streamOwner == address(0)) revert StreamOwnerNotFound();

_redeem(streamOwner);

NFTData memory nftData = _streamIDs[streamOwner][streamId];

uint256 amount =

uint256(senderAmount) > nftData.amount ? nftData.amount : uint256(senderAmount);

@-> _unstakeVested(streamOwner, streamId, amount);

emit SablierCanceled(streamOwner, streamId, sender, amount);

}

The issue with this is that the stream sender can cancel the stream with just the right amount of gas that is needed to cancel the stream but not enough to run the code in the onStreamCanceled hook. This means that streams can be canceled, remain staked in the protocol, and still earn rewards.

Impact

Canceled Stream will remain staked in the protocol.

Tools Used

Manual Analysis

Recommendations

Don't accept cancellable Sablier streams
Use the latest version of Sablier that mitigate this bug

Updates

Lead Judging Commences

inallhonesty Lead Judge

about 1 year ago

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

662

30 USDC / LOC

High Medium

16,000 USDC

Low

2,500 USDC

Judges

1,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.