Flow
Sablier
FoundryDeFi
20,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

`_depositViaBroker` can fail if broker fee is 0 for some tokens

carrotsmuggler

Summary

The _depositViaBroker function can be used to deposit tokens to a stream while paying a broker a fee. The issue is that this fee can be 0 if the broker sets their rate at 0, or if the deposit is very small. Some tokens revert on 0 value transfers, which would fail this transaction.

Vulnerability Details

The _depositViaBroker function calculates a broker fee.

(uint128 brokerFeeAmount, uint128 depositAmount) =
Helpers.checkAndCalculateBrokerFee(totalAmount, broker,
// Checks, Effects, and Interactions: deposit on stream.
_deposit(streamId, depositAmount);

This brokerFeeAmount can be 0 if the broker fee rate is 0%, or if the deposit amount is small enough that the fee percentage calculates to 0. In this case, the contract tries to transfer 0 tokens.

_streams[streamId].token.safeTransferFrom({ from: msg.sender, to: broker.account, value: brokerFeeAmount });

Issue is that certain tokens don't allow 0 value transfers, like the LEND token on mainnet. If such tokens are used, this contract will fail since it tries to do 0 value transfers.

Impact

Transactions can revert when using tokens which don't support 0 value transfers.

Tools Used

Manual

Recommendations

Consider skipping the transferFrom call if the value is calculated to be 0.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

[INVALID] Some token revert on 0 transfer and the broker fee might be 0

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.