Flow
Sablier
FoundryDeFi
20,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

there is no allowlist for token decimals, there are chances of weird ercc20 which there are no restrictions.

jerrytomi

Summary

According to the docs, the fixed token decimal is 18, and there wierd ERC20s that are not 18and might disrupt the function of the protocol leading to severe damage.
That gives rise for the need of allowlists.

Vulnerability Details

uint8 tokenDecimals = _streams[streamId].tokenDecimals;
uint256 balanceScaled = Helpers.scaleAmount({ amount: balance, decimals: tokenDecimals });
uint256 snapshotDebtScaled = _streams[streamId].snapshotDebtScaled;

Impact

High, as allowing incompatible tokens could lead to incorrect balance scaling, debt calculations, and other accounting issues, potentially breaking core protocol functionality.

Likelihood: High, especially in DeFi environments where a wide range of ERC20 tokens could be added by users.

Tools Used

Manual Review

Recommendations

This should be added in the SablierFlow.solcontract creating an allowlist of token decimals

+mapping(address => bool) private allowedTokensDecimals;
+function addAllowedToken(address token) external onlyAdmin {
+allowedTokensDecimals[token] = true;
+}
+function _validateToken(address token) internal view {
+require(allowedTokensDecimals[token], "Token not allowed");
+}
uint8 tokenDecimals = _streams[streamId].tokenDecimals;
+require( tokenDecimals == 18, "Incompatible token decimals");
uint256 balanceScaled = Helpers.scaleAmount({ amount: balance, decimals: tokenDecimals });
uint256 snapshotDebtScaled = _streams[streamId].snapshotDebtScaled;
Updates

Lead Judging Commences

inallhonesty Lead Judge 8 months ago
Submission Judgement Published
Invalidated
Reason: Lack of quality

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.