Flow
Sablier
FoundryDeFi
20,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Incorrect Conditional Logic on the _coveredDebtOf function which will lead to refund refundAndPause issues

eagles

Summary

From the comment on the code block which stated that

If the stream balance is less than or equal to the total debt, return the stream balance.

Therefore, the check on the _coveredDebtOf function checked for the opposite.

Vulnerability Details

The sablierFlow::refund function is responsible for refunding funds to a specific stream ID. It internally calls the sablierFlow::_refund function, which manages the refund process. However, the _refund function relies on sablier::_refundableAmountOf to calculate the refundable amount, and in turn, sablier::_refundableAmountOf uses sablier::_coveredDebtOf to compute the covered debt based on the stream balance.

The issue lies within the sablier::_coveredDebtOf function, where the check currently ensures that the stream balance is less than the total debt, but it fails to handle cases where the balance is exactly equal to the total debt. As a result, the function does not return the balance in these situations, which could lead to incorrect calculations. Therefore , this will lead to sablierFlow::refundand sablierFlow::refundAndPauseissues when a streamIdrequest for a refund.

function _coveredDebtOf(uint256 streamId) internal view returns (uint128) {
uint128 balance = _streams[streamId].balance;
// If the balance is zero, return zero.
if (balance == 0) {
return 0;
}
uint256 totalDebt = _totalDebtOf(streamId);
// If the stream balance is less than or equal to the total debt, return the stream balance.
if (balance < totalDebt) { //@audit
return balance;
}
// At this point, the total debt fits within `uint128`, as it is less than or equal to the balance.
return totalDebt.toUint128();
}

Impact

The vulnerability affects the accuracy of debt calculations within the system. If the balance is equal to the total debt, this logic would fail to return the correct value, potentially causing financial discrepancies in the system. This could result in unintended behavior, or inaccurate reporting of debts that could mislead users interacting with the protocol.

If User A has 1000 tokens and their total debt is also 1000 tokens, the user will not receive the expected balance. Instead, the function will return an inaccurate debt calculation, which will mislead User A by failing to reflect the correct balance. This will make the User A to not get the accurate refunds.

Tools Used

Manual Code Review

Recommendations

To resolve this issue, update the conditional check to:

function _coveredDebtOf(uint256 streamId) internal view returns (uint128) {
uint128 balance = _streams[streamId].balance;
// If the balance is zero, return zero.
if (balance == 0) {
return 0;
}
uint256 totalDebt = _totalDebtOf(streamId);
// If the stream balance is less than or equal to the total debt, return the stream balance.
if (balance <= totalDebt) {
return balance;
}
// At this point, the total debt fits within `uint128`, as it is less than or equal to the balance.
return totalDebt.toUint128();
}
Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

[INVALID]`_coveredDebtOf` discrepancy between condition and comment `balance < totalDebt`

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.