Flow

Vulnerability Details

Tokens like USDC have blacklists to comply with law enforcement. If a criminal commits a crime and sends the USDC to SablierFlow it will make the SablierFlow contract be blacklisted, freezing everyone's USDC flows on the system including honest users.

Impact

A blacklist scenario by only 1 criminal can punish the entire users of Sablier Flow freezing forever all USDC (or any token with a blacklist) deposited in Flows.

Note that not even the SablierFlowBase::recover() would work as it transfers the surplus. So if the criminal sends the USDC in the shape of a stream via create() then the surplus generated by the criminal sent funds will be 0.

Recommendations

Make, at least the funds being flowed, be held by separate contracts and not just one. This way if any criminal ends up sending crime money to SableirFlow system, leaving the eventual receiver blacklisted, then only the funds in that other contract will be frozen and not the entire system.

To cheapen gas costs you can deploy a logic contract and the other funds holders just be proxies that delegatecall the logic.

Example:

Currently -> All funds held by SablierFlow contract.

Fix -> Keeps the logic but associate each streamId to a contract that holds the balance of that stream and which has the transfer logic. In this case, the criminal funds will land there and just that address will be blacklisted.