Flow NFT can be minted to non-ERC721 receivers
Summary
SablierFlow.sol uses mint instead of safeMint, potentially causing issues with NFT transfers and withdrawals.
Vulnerability Details
Stream recipients receive an ERC721 token that represents their role in a specific stream and allows invoking certain functionalities. The ERC721 mint is called inside the _create(address sender, address recipient, UD21x18 ratePerSecond, IERC20 token, bool transferable) function:
The function _mint(address to, uint256 tokenId) does not check whether the address to is a proper ERC721 receiver. If the recipient specified is a non-ERC721 receiver contract, the NFT may be stuck.
Impact
Minting the NFT to a non-ERC721 receiver may cause the NFT to be stuck and impossible to transfer to anyone else. The NFT bears the rights to the withdrawable tokens, therefore those tokens may get stuck as well. Even though the withdrawal functionality is available to anyone, they can only withdraw to the recipient.
Tools Used
Manual analysis
Recommendations
Use _safeMint(address to, uint256 tokenId) to mint Flow NFTs.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.