Submission Details
Severity:
a Malicious user can prevent Recipients from withdrawing their funds to another address.
Summary
since anyone could call the withdraw() external function, if the recipient wanted to withdraw his funds back to the sender for whatever reason or withdraw them to another third party, a malicious user can prevent him from doing so by front running his transaction and withdraw all his funds to the recipient.
Vulnerability Details
Impact
Malicious user can caust recipients another transaction and reduce the experiance quality.
Tools Used
Manual Review.
Recommendations
alow only recipient or approved party to call the withdraw function by modifying the following check:
function _withdraw(
uint256 streamId,
address to,
uint128 amount
)
internal
returns (uint128 withdrawnAmount, uint128 protocolFeeAmount)
{
// Check: the withdraw amount is not zero.
if (amount == 0) {
revert Errors.SablierFlow_WithdrawAmountZero(streamId);
}
// Check: the withdrawal address is not zero.
if (to == address(0)) {
revert Errors.SablierFlow_WithdrawToZeroAddress(streamId);
}
// Check: `msg.sender` is neither the stream's recipient nor an approved third party, the withdrawal address
// must be the recipient.
-- if (to != _ownerOf(streamId) && !_isCallerStreamRecipientOrApproved(streamId)) {
++ if (!_isCallerStreamRecipientOrApproved(streamId)) {
revert Errors.SablierFlow_WithdrawalAddressNotRecipient({ streamId: streamId, caller: msg.sender, to: to });
}
uint8 tokenDecimals = _streams[streamId].tokenDecimals;
Prize pool breakdown
Total prize
20,000 USDC
nSLOC
69929 USDC / LOC
19,000 USDC
1,000 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.