Summary

• Customers are able to stake their Fjord Sablier streams in FjordStaking

• Anyone can trigger a withdraw directly from Sablier as long as recipient matches to.

• Sablier checks if to equals the current recipient of streamId. If to equals the current recipient of streamId then Sablier will withdraw the tokens assigned to streamId to recipient.

With this understanding, an operator can permanently lock customers fjord tokens within the FjordStaking contract by calling the withdraw() on Sablier with the customer's streamId. There's no way to for the customer to retrieve his Fjord tokens after Sablier sends his Fjord tokens to FjordStaking.

Vulnerability Details

1. Customer receives a Fjord Sablier stream with a streamId of 1337

2. Customer stakes this stream in FjordStaking

3. Operator calls withdraw() on Sablier using Customer's streamId

4. Sablier sends Fjord tokens to FjordStaking

5. Customer calls unstakeVested() using his streamId

6. Customer receives his stream with less fjord tokens than there should be

7. Customer doesn't have a way to retrieve his missing fjord tokens

Impact

Customers tokens locked within the staking contract permanently

Recommendations

Adjustments should be made to a customers stake using the onLockupStreamWithdrawn() hook.