Unchecked balance of aggregateBalance leads to overflow
Summary
When aggregateBalance[token] -= revenue, there is no check for sufficient balance. If aggregateBalance[token] is less than revenue, it may cause subtraction underflow, resulting in an unexpected balance decrease.
Vulnerability Details
https://github.com/Cyfrin/2024-10-sablier/blob/main/src/abstracts/SablierFlowBase.sol#L208-L221
In this code, unchecked is used, but there is no guarantee that aggregateBalance[token]>revenue(protocolRevenue[token]). Although this is a function with onlyAdmin privileges, you can check the size relationship between protocolRevenue[token] and protocolRevenue[token]. If aggregateBalance[token]<revenue, calling this function will cause aggregateBalance[token] to overflow to the maximum value. I think this is a medium risk.
Impact
As long as there is a token whose aggregateBalance[token] is a malicious small value, the value of aggregateBalance can be overflowed and manipulated.
Tools Used
Manual review
Recommendations
Before performing the subtraction, check if aggregateBalance[token] is greater than or equal to revenue
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.