Flow

Summary

Malicious user can create a transferable Stream with a trusted sender and a positif `RPS` since the protocol allows the stream creater to controle these parameter.

see the `_create()` function:

https://github.com/Cyfrin/2024-10-sablier/blob/8a2eac7a916080f2022527408b004578b21c51d0/src/SablierFlow.sol#L564C1-L621C6

Vulnerability Details

In the majority of NFT marketplaces such as Opensea and Blur, users can list their NFT by approving it to the marketplace contract.

Once the NFT finds a buyer, the marketplace contract transfers the NFT from the owner to the buyer who pays to receive it.

Here is a realistic scenario where a malicious user can honeypot other users to steal their funds:

note: that this scenario can be crafted in a more malicious way but for the sake of simplicity, we'll keep it this way.

1.Malicious user Creates a Stream with the following values:

• balance = 1,000 USDC.

• isTransferable = true.

• ratePerSecond = 1 USDC.

• sender = a company that is trusted and uses the protocol.

• token = USDC.

and set his wallet address as the recipient.

2.Waits till the `snapshotDebtScaled` became 2,000 USDC and list his NFT on Opensea for the equivalent of 1,000 USDC.

3.Victim sees the sender is trusted and the stream is still streaming, and think that he canmake more than 500 USDC.
4.Attacker was monitoring the mempool and frontruns the user's transaction to withdraw all the debt.

5.The marketplace executes the trade, sends the 1,000 USDC equivalent to the attacker and sends the stream that contains only debt to the victim.

Impact

Victims think they are buying a worth Stream with a trusted sender and end up being scamed.

this leads to a loss of funds to the victim, and loss of trust in Senders and the Sablier protocol.

Tools Used

Manual Review.

Recommendations

don't let anyone controle the sender parameter.

modify `create()` and `createAndDeposit()` as follow: