Flow

Summary

The _refund function in SablierFlow contract lacks handling for cases where the sender's address is blacklisted in USDC's contract. This prevents blacklisted senders from receiving refunds of their remaining stream balance, effectively locking their funds in the contract.

Vulnerability Details

The issue arises because USDC includes a blacklist feature that prevents transfers to/from certain addresses. If a stream sender becomes blacklisted after creating a stream, they cannot receive refunds as the USDC transfer will revert, but the contract doesn't provide any alternative mechanism for fund recovery.
(https://github.com/Cyfrin/2024-10-sablier/blob/8a2eac7a916080f2022527408b004578b21c51d0/src/SablierFlow.sol#L673C1-L711C6)[https://github.com/Cyfrin/2024-10-sablier/blob/8a2eac7a916080f2022527408b004578b21c51d0/src/SablierFlow.sol#L673C1-L711C6]

Impact

• Medium severity because:

  • It requires specific conditions: the stream sender must be added to USDC's blacklist after creating the stream

  • The recipient would need to intentionally blacklist the sender

• Affects one of the most widely used stablecoins (USDC)

• Stream senders who become blacklisted have no way to recover their remaining stream balance

Tools Used

Manual code review

Recommendations

There are two potential approaches to mitigate this issue:

1. Add an optional "alternativeAddress" parameter to the _refund function.

2. Implement sender transfer functionality to allow changing the sender address.