Flow
Sablier
FoundryDeFi
20,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

`_depositViaBroker` can fail if broker fee is 0 for some tokens

carrotsmuggler

Summary

The _depositViaBroker function can be used to deposit tokens to a stream while paying a broker a fee. The issue is that this fee can be 0 if the broker sets their rate at 0, or if the deposit is very small. Some tokens revert on 0 value transfers, which would fail this transaction.

Vulnerability Details

The _depositViaBroker function calculates a broker fee.

(uint128 brokerFeeAmount, uint128 depositAmount) =
Helpers.checkAndCalculateBrokerFee(totalAmount, broker,
// Checks, Effects, and Interactions: deposit on stream.
_deposit(streamId, depositAmount);

This brokerFeeAmount can be 0 if the broker fee rate is 0%, or if the deposit amount is small enough that the fee percentage calculates to 0. In this case, the contract tries to transfer 0 tokens.

_streams[streamId].token.safeTransferFrom({ from: msg.sender, to: broker.account, value: brokerFeeAmount });

Issue is that certain tokens don't allow 0 value transfers, like the LEND token on mainnet. If such tokens are used, this contract will fail since it tries to do 0 value transfers.

Impact

Transactions can revert when using tokens which don't support 0 value transfers.

Tools Used

Manual

Recommendations

Consider skipping the transferFrom call if the value is calculated to be 0.

Updates

Lead Judging Commences

inallhonesty Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

[INVALID] Some token revert on 0 transfer and the broker fee might be 0

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.