Submission Details
Severity:
Missing Zero Address Check for Recipient in Stream Creation
Summary
Vulnerability Details
The _create function does not validate that the recipient address is non-zero, which could potentially result in tokens being sent to the zero address if called incorrectly. While this would not lead to a direct loss of funds due to NFT minting restrictions, it represents a deviation from best practices and could cause issues with stream management.
Proof of Concept
function _create(
address sender,
address recipient, // @audit No zero address validation
UD21x18 ratePerSecond,
IERC20 token,
bool transferable
) internal returns (uint256 streamId) {
// Checks sender but not recipient
if (sender == address(0)) {
revert Errors.SablierFlow_SenderZeroAddress();
}
// ... rest of the function
}
The function validates that sender != address(0) but has no equivalent check for the recipient parameter.
Tools Used
Manual Review
Recommendations
Add a zero address check for the recipient parameter similar to the sender check:
function _create(
address sender,
address recipient,
UD21x18 ratePerSecond,
IERC20 token,
bool transferable
) internal returns (uint256 streamId) {
// Check: the sender is not the zero address.
if (sender == address(0)) {
revert Errors.SablierFlow_SenderZeroAddress();
}
// Check: the recipient is not the zero address.
+ if (recipient == address(0)) {
+ revert Errors.SablierFlow_RecipientZeroAddress(); // New error type needed
+ }
// ... rest of the function
}
Prize pool breakdown
Total prize
20,000 USDC
nSLOC
69929 USDC / LOC
19,000 USDC
1,000 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.