Flow

Sablier

FoundryDeFi

20,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

logical flaw hence no withdrawal of streamed tokens if the stream balance is equal to the total debt

obare

Summary

The _coveredDebtOf function in SablierFlow.sol has a logical flaw in its conditional check that can prevent the intended recipient from withdrawing the full stream balance when the balance equals the total debt. This issue results in the withdrawMax function not processing the withdrawal correctly under specific conditions, potentially leaving funds locked.

Vulnerability Details

In SablieFlow:coveredDebtOf() , the if statement only checks when the balance is less than the total debt. This means that when the balance is equal to the total debt, it returns the total debt instead of the stream balance, hence making the withdrawal not happen as the function coveredDebtOf() is called in the withdrawMax()function by the intended recipient.

https://github.com/Cyfrin/2024-10-sablier/blob/main/src/SablierFlow.sol#L467-L470
https://github.com/Cyfrin/2024-10-sablier/blob/main/src/SablierFlow.sol#L435C3-L450C6

// If the balance is zero, return zero.

if (balance == 0) {

return 0;

}

uint256 totalDebt = _totalDebtOf(streamId);

// If the stream balance is less than or equal to the total debt, return the stream balance.

if (balance < totalDebt) {

return balance;

}

// At this point, the total debt fits within `uint128`, as it is less than or equal to the balance.

return totalDebt.toUint128();

Impact

When the balance is equal to totalDebt, the withdrawMax function fails to process the intended withdrawal for the recipient. This could prevent users from retrieving their funds as expected.

scenario:

a stream created where the stream balance equals the total debt (e.g., both set to 1000 tokens).
withdrawMax is called for this stream.
Observe that the function fails to allow full balance withdrawal.

the function should allow withdrawal if the balance is equal to the total debt but does not do so due to the logical flaw.

Tools Used

manual review

Recommendations

In the coveredDebtOf function, update the condition to include an equality check.This change will ensure that withdrawMax behaves as expected, allowing the full balance to be withdrawn when the balance equals the total debt.

if (balance <= totalDebt) {

return balance;

}

Updates

Lead Judging Commences

inallhonesty Lead Judge 8 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Assigned finding tags:

[INVALID]`_coveredDebtOf` discrepancy between condition and comment `balance < totalDebt`

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

699

29 USDC / LOC

High Medium

19,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.