Flow

Sablier
FoundryDeFi
20,000 USDC
View results
Submission Details
Severity: low
Invalid

Contract lacks a `createAndDepositViaBroker` function

Summary

SablierFlow.sol contract allows the sender to call the createAndDeposit function to create a new stream and deposit instantly to this stream in one transaction. However, the contract lacks a function that allows the sender to create and deposit via a broker.

This creates ambiguity which will lead to users thinking they can not deposit via a broker when they create the stream.

Vulnerability Details

If the sender and the recipient have a broker, sender is expected to deposit via a broker. This is done to let the fee amount be recieved by an agreed broker. sender can call the depositViaBroker function to achieve this.

function depositViaBroker(
uint256 streamId,
uint128 totalAmount,
address sender,
address recipient,
Broker calldata broker
)
external
override
noDelegateCall
notNull(streamId)
notVoided(streamId)
updateMetadata(streamId)
{
// Check: the provided sender and recipient match the stream's sender and recipient.
_verifyStreamSenderRecipient(streamId, sender, recipient);
// Checks, Effects, and Interactions: deposit on stream through broker.
_depositViaBroker(streamId, totalAmount, broker);
}

Only functions that allow the to create a stream are create and createAndDeposit and these functions do not allow the first deposit to be done via a broker. This incosistency will lead to users thinking they can not deposit via a broker for their first deposit if they intend to create and deposit in the same transaction.

Impact

This will lead to the broker missing out on the fees for the first deposit when sender intends to create and deposit in the same transaction.

Tools Used

Manual review

Recommendations

Implement a createAndDepositViaBroker function. An example is shown below.

function createAndDeposit(
address sender,
address recipient,
Broker calldata broker,
UD21x18 ratePerSecond,
IERC20 token,
bool transferable,
uint128 amount
)
external
override
noDelegateCall
returns (uint256 streamId)
{
// Checks, Effects, and Interactions: create the stream.
streamId = _create(sender, recipient, ratePerSecond, token, transferable);
// Checks, Effects, and Interactions: deposit on stream.
_depositViaBroker(streamId, totalAmount, broker);
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 8 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

[INVALID] Contract lacks a `createAndDepositViaBroker`

inallhonesty Lead Judge 8 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

[INVALID] Contract lacks a `createAndDepositViaBroker`

Appeal created

ljj Submitter
8 months ago
inallhonesty Lead Judge
8 months ago
inallhonesty Lead Judge 8 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

[INVALID] Contract lacks a `createAndDepositViaBroker`

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.