Flow

Sablier
FoundryDeFi
20,000 USDC
View results
Submission Details
Severity: high
Invalid

SablierFlowBase::collectProtocolRevenue() and SablierFlowBase::recover() Lack Zero Address Check for to Parameter(Improper Input Validation + Potential Asset Loss)

Description

The functions SablierFlowBase::collectProtocolRevenue() and SablierFlowBase::recover() do not validate the to parameter to ensure it is not the zero address. Allowing transfers to the zero address can inadvertently result in permanent asset loss, as funds sent to the zero address are irretrievable

Impact

  1. Permanent asset loss

Recommended Mitigation

In SablierFlowBase::collectProtocolRevenue(), add the following check:

+ if (to == address(0)) {
+ revert Errors.SablierFlow_WithdrawToZeroAddress(streamId);
+ }
// Check: there is protocol revenue to collect.
if (revenue == 0) {
revert Errors.SablierFlowBase_NoProtocolRevenue(address(token));
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 8 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
inallhonesty Lead Judge 8 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.