Flow

Sablier

FoundryDeFi

20,000 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

Flow stream cannot be created for tokens that do not implement the `decimals` function

inh3l

Summary

Protocol plans to support all possible ERC20 tokens, except for some criteria but will not be able to support tokens that do not impelement the decimals function.

Vulnerability Details

The protocol plans to work with any ERC20 token based on the information provided in the readme. Expect for those with the criteria highlighted below.

Any ERC-20 token can be used with Flow as long as it adheres to the following assumptions:

The total supply of any ERC-20 token remains below , i.e., type(uint128).max.

The transfer and transferFrom methods of any ERC-20 token strictly reduce the sender's balance by the transfer amount and increase the recipient's balance by the same amount. In other words, tokens that charge fees on transfers are not supported.

An address' ERC-20 balance can only change as a result of a transfer call by the sender or a transferFrom call by an approved address. This excludes rebase tokens, interest-bearing tokens, and permissioned tokens where the admin can arbitrarily change balances.

The token contract does not allow callbacks (e.g., ERC-777 is not supported).

However, the SablierFlow incorrectly assumes that the token to be streamed by the creator implements a decimal function. This is because, upon stream creation, an attempt is made to get the token's decimals by calling the decimals function.

>>> uint8 tokenDecimals = IERC20Metadata(address(token)).decimals();

// Check: the token decimals are not greater than 18.

if (tokenDecimals > 18) {

revert Errors.SablierFlow_InvalidTokenDecimals(address(token));

}

However, not all tokens (including the standard ones) actually implement a decimals function. According to EIP-20 standard,

decimals

Returns the number of decimals the token uses - e.g. 8, means to divide the token amount by 100000000 to get its user representation.

OPTIONAL - This method can be used to improve usability, but interfaces and other contracts MUST NOT expect these values to be present.

But by querying the decimal function, due to its non-existence in these tokens, the functions will fail causing that streams for these tokens cannot be created.

Impact

Flow streams for tokens like cloutContracts,
DigixDAO, etc cannot be created if desired due to the absence of the decimal function breaking compatibility.

Tools Used

Manual review.

Recommendations

Recommend using a tryCatch block to query the decimals. If it fails, hardcode it to 18 for scaling.

Updates

Lead Judging Commences

inallhonesty Lead Judge 8 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

Tokens without the decimals() implementation

Appeal created

inh3l Submitter

8 months ago

inallhonesty Lead Judge

8 months ago

inallhonesty Lead Judge 8 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Tokens without the decimals() implementation

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

699

29 USDC / LOC

High Medium

19,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.