Flow

Sablier

FoundryDeFi

20,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Uncollected Protocol Fees Before Updating Fee Value in `setProtocolFee` Function

brene

Summary

In the SablierFlowBase contract, the setProtocolFee function allows the protocol fee to be updated without first collecting any previously accrued fees. Changing the fee rate without collecting these fees could lead to revenue discrepancies, causing a potential loss or misallocation of funds.

Vulnerability Details

The setProtocolFee function updates the protocol fee without first collecting any accumulated fees under the previous rate.

function setProtocolFee(IERC20 token, UD60x18 newProtocolFee) external override onlyAdmin {

// Check: the new protocol fee is not greater than the maximum allowed.

if (newProtocolFee > MAX_FEE) {

revert Errors.SablierFlowBase_ProtocolFeeTooHigh(newProtocolFee, MAX_FEE);

}

UD60x18 oldProtocolFee = protocolFee[token];

// Effects: set the new protocol fee.

protocolFee[token] = newProtocolFee;

// Log the change of the protocol fee.

emit ISablierFlowBase.SetProtocolFee({

admin: msg.sender,

token: token,

oldProtocolFee: oldProtocolFee,

newProtocolFee: newProtocolFee

});

// Refresh the NFT metadata for all streams.

emit BatchMetadataUpdate({ _fromTokenId: 1, _toTokenId: nextStreamId - 1 });

}

Impact

Failing to collect previous fees before updating the protocol fee could lead to uncollected revenue, resulting in financial discrepancies for the protocol. If the fee adjustment is made frequently, the lost revenue could compound, reducing the overall income generated from protocol fees. This misalignment could also affect any on-chain accounting mechanisms, causing potential reporting or revenue allocation issues.

Tools Used

Manual Review

Recommendations

Before updating the protocol fee, call the collectProtocolRevenue function to capture all accumulated revenue at the current rate. This ensures that the protocol’s revenue remains consistent with the fee structure and mitigates the risk of uncollected revenue.

Updates

Lead Judging Commences

inallhonesty Lead Judge 8 months ago

Submission Judgement Published

Invalidated

Reason: Known issue

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

699

29 USDC / LOC

High Medium

19,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.