Flow

Sablier

FoundryDeFi

20,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Some ERC20 tokens will revert on zero amount transfer

x1485967

Summary

Some ERC20 tokens will revert if we transfer zero amount. When we deposit via broker, the broker fee may be round down to zero. This will cause deposit reverted.

Vulnerability Details

In SablierFlow, users can deposit funds via depositViaBroker(). Users have to pay one part of broker fee to the broker. If the user's deposit is small, and the broker.fee is small, the broke fee may be round down to 0. When we try to transfer 0 broker fee to the broker, some tokens may be reverted because of the zero amount, for example, Lend token.

In readme, our reponsor mentions that `Flexible deposit: A stream can be funded with any amount, at any time, by anyone, in full or in parts.`. It's reasonable or expected that users may deposit one small amount of tokens. But this will cause reverted.

function calculateAmountsFromFee(

uint128 totalAmount,

UD60x18 fee

)

internal

pure

returns (uint128 feeAmount, uint128 netAmount)

{

// Calculate the fee amount based on the fee percentage.

@> feeAmount = ud(totalAmount).mul(fee).intoUint128();

// Calculate the net amount after subtracting the fee from the total amount.

netAmount = totalAmount - feeAmount;

}

function _depositViaBroker(uint256 streamId, uint128 totalAmount, Broker memory broker) internal {

// Check: verify the `broker` and calculate the amounts.

// The total amount will be splitted into two parts:

// one part is for broker

// second part is for the deposit.

(uint128 brokerFeeAmount, uint128 depositAmount) =

Helpers.checkAndCalculateBrokerFee(totalAmount, broker, MAX_FEE);

// Checks, Effects, and Interactions: deposit on stream.

_deposit(streamId, depositAmount);

// Interaction: transfer the broker's amount.

// @audit if the brokerFeeAmount equals 0,

@> _streams[streamId].token.safeTransferFrom({ from: msg.sender, to: broker.account, value: brokerFeeAmount });

}

Impact

Some tokens' small amount deposit via broker may be reverted because transferring zero amount broker fee.

Tools Used

Manual

Recommendations

If broker fee is zero, don't need to transfer tokens to the broker.

Updates

Lead Judging Commences

inallhonesty Lead Judge

9 months ago

inallhonesty Lead Judge 8 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

[INVALID] Some token revert on 0 transfer and the broker fee might be 0

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

699

29 USDC / LOC

High Medium

19,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.