Flow

Sablier

FoundryDeFi

20,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

[L-1] _refundableAmountOf :: SablierFlow can cause unnecessary reverts

oluwaseyisekoni

Description

function _refundableAmountOf(uint256 streamId) internal view returns (uint128) {

return _streams[streamId].balance - _coveredDebtOf(streamId);

}

The function could be made to return int128. Just in case _coveredDebtOf(streamId)> streams[streamId].balance. The functions which utilize _refundableAmountOfshould have an if statement

and check if the _refundableAmountOf>0 before utilizing it.

Impact

Could cause unncessary reverts which could cause waste of gas

Recommended mitigation

function _refundableAmountOf(uint256 streamId) internal view returns (int128) {

return int128(_streams[streamId].balance - _coveredDebtOf(streamId));

}

//then functions that utilize _refundableAmountOf should use an if statement

//and check if the value returned is > 0

//e.g

function _refund(uint256 streamId, uint128 amount) internal {

// Check: the refund amount is not zero.

if (amount == 0) {

revert Errors.SablierFlow_RefundAmountZero(streamId);

}

// Calculate the refundable amount.

int128 refundableAmount = _refundableAmountOf(streamId);

if (refundableAmount > 0){

// Check: the refund amount is not greater than the refundable amount.

if (amount > uint128(refundableAmount)) {

revert Errors.SablierFlow_RefundOverflow(streamId, amount, refundableAmount);

}

// Although the refundable amount should never exceed the balance, this condition is checked

// to avoid exploits in case of a bug.

if (uint128(refundableAmount) > _streams[streamId].balance) {

revert Errors.SablierFlow_InvalidCalculation(streamId, _streams[streamId].balance, amount);

}

address sender = _streams[streamId].sender;

IERC20 token = _streams[streamId].token;

// Safe to use unchecked because at this point, the amount cannot exceed the balance.

unchecked {

// Effect: update the stream balance.

_streams[streamId].balance -= amount;

// Effect: update the aggregate balance.

aggregateBalance[token] -= amount;

}

// Interaction: perform the ERC-20 transfer.

token.safeTransfer({ to: sender, value: amount });

// Log the refund.

emit ISablierFlow.RefundFromFlowStream(streamId, sender, amount);

}

Updates

Lead Judging Commences

inallhonesty Lead Judge 9 months ago

Submission Judgement Published

Invalidated

Reason: Lack of quality

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

699

29 USDC / LOC

High Medium

19,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.