Flow

Sablier

FoundryDeFi

20,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

Missing Expiration Check in the `function statusOf`.

Oppenheimer

Summary

The function status continues to report active status for expired streams.

Vulnerability Details

https://github.com/Cyfrin/2024-10-sablier/blob/main/src/SablierFlow.sol#L129-#L155.
The function doesn't check if the stream has reached its end time/expiration as users won't know if a stream is about to end and there is no warning about impending insolvency.

Impact

Users could continue interacting with expired streams and might not realize when funds are running low.
No advance warning of potential payment failures. Also users won't know if a stream is about to end and there is no warning about impending insolvency.

Tools Used

Manual code review.

Recommendations

Include a stream expiration check

// Check if stream is expired

if (block.timestamp >= stream.endTime) {

return Flow.Status.COMPLETED;

}

Suggested fix

function statusOf(uint256 streamId) external view override notNull(streamId) returns (Flow.Status status) {

@> // Check if stream is expired

@> if (block.timestamp >= stream.endTime) {

@> return Flow.Status.COMPLETED;

@> }

// Check: the stream is voided.

if (_streams[streamId].isVoided) {

return Flow.Status.VOIDED;

}

// See whether the stream has uncovered debt.

bool hasDebt = _uncoveredDebtOf(streamId) > 0;

if (_streams[streamId].ratePerSecond.unwrap() == 0) {

// If the stream is paused and has uncovered debt, return PAUSED_INSOLVENT.

if (hasDebt) {

return Flow.Status.PAUSED_INSOLVENT;

}

// If the stream is paused and has no uncovered debt, return PAUSED_SOLVENT.

return Flow.Status.PAUSED_SOLVENT;

}

// If the stream is streaming and has uncovered debt, return STREAMING_INSOLVENT.

if (hasDebt) {

return Flow.Status.STREAMING_INSOLVENT;

}

// If the stream is streaming and has no uncovered debt, return STREAMING_SOLVENT.

status = Flow.Status.STREAMING_SOLVENT;

}

This will prevents interaction with expired streams and provides clear completion status .

Updates

Lead Judging Commences

inallhonesty Lead Judge 8 months ago

Submission Judgement Published

Invalidated

Reason: Lack of quality

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

699

29 USDC / LOC

High Medium

19,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.