Flow

Sablier

FoundryDeFi

20,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Recipient can bypass protocol fee increase

motogascar

Summary

Recipients can bypass protocol fee increases by monitoring the mempool and frontrunning them with max withdrawals to secure lower fee rates.

Vulnerability Details

When admin increases the protocol fee, there's a window of opportunity in the mempool where recipients can frontrun the increase:

Fee calculation is done within the calculateAmountsFromFee function, called by _withdraw function, at the time of withdraw_._ _withdraw function is being called in 2 functions: withdraw, withdrawMax

Recipients can take benefit of this by frontrunning the fee increase transaction sent by admin, max withdrawing with the old and lower fee percentage.

function calculateAmountsFromFee(

uint128 totalAmount,

UD60x18 fee

)

internal

pure

returns (uint128 feeAmount, uint128 netAmount)

{

// Calculate the fee amount based on the fee percentage.

feeAmount = ud(totalAmount).mul(fee).intoUint128();

netAmount = totalAmount - feeAmount;

}

Below you can see the setProtocolFee function, where protocol fees are set.

Protocol fees are set without any timing limitations, function only checks if the protocol fee amount is under 10%.

function setProtocolFee(IERC20 token, UD60x18 newProtocolFee) external override onlyAdmin {

// Check: the new protocol fee is not greater than the maximum allowed.

if (newProtocolFee > MAX_FEE) {

revert Errors.SablierFlowBase_ProtocolFeeTooHigh(newProtocolFee, MAX_FEE);

}

UD60x18 oldProtocolFee = protocolFee[token];

// Effects: set the new protocol fee.

protocolFee[token] = newProtocolFee;

// Log the change of the protocol fee.

emit ISablierFlowBase.SetProtocolFee({

admin: msg.sender,

token: token,

oldProtocolFee: oldProtocolFee,

newProtocolFee: newProtocolFee

});

// Refresh the NFT metadata for all streams.

emit BatchMetadataUpdate({ _fromTokenId: 1, _toTokenId: nextStreamId - 1 });

}

Example scenario for 1000 USDC withdrawal: Recipients would call withdrawMaxfunction for maximum saving with the old and lower fee ratio.

Admin submits tx to change fee from 2% to 10%

2. Recipient frontruns with max withdrawal:

Pays 2% fee: 20 USDC (receives 980 USDC)
Instead of 10% fee: 100 USDC (would receive 900 USDC)
Saves 80 USDC through frontrunning

Impact

Recipient makes unfair saving, while protocol loses fee

Tools Used

Manual Review

Recommendations

Do not apply sharp changes on the fee ratio or use fixed fee for stream durations

Updates

Lead Judging Commences

inallhonesty Lead Judge 8 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Appeal created

motogascar Submitter

8 months ago

inallhonesty Lead Judge

8 months ago

inallhonesty Lead Judge 8 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

699

29 USDC / LOC

High Medium

19,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.