Flow

Sablier

FoundryDeFi

20,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

Unverified Input Addresses Vulnerability

hackz

Summary

The SablierFlow contract lacks validation for input addresses, allowing zero addresses to be used as inputs, which can lead to loss of funds and potential contract exploitation.

Finding Description

In the current implementation of the SablierFlow contract, there are instances where addresses are not validated before being used in critical functions. The absence of checks for zero addresses can break the expected security guarantees of the contract. Specifically, if a user tries to create a flow or perform a withdrawal operation using a zero address, it may lead to unintended consequences, such as the inability to recover funds sent to that address.

For instance, if a malicious user or a user unknowingly passes a zero address to the _withdraw function, the contract will attempt to transfer funds to that address. Since the zero address is not a valid recipient, the transaction will fail, but any funds intended for that address could be rendered unrecoverable. This vulnerability may propagate through the system if the malicious input is not caught early, leading to significant financial implications.

Vulnerability Details

Type: Input Validation
Location: SablierFlow.sol
Functionality Affected: Critical functions that handle transfers, including flow creation and withdrawal.
Security Guarantee Broken: Proper handling and validation of user inputs to prevent the use of invalid addresses.

Impact

This vulnerability can lead to a High Impact scenario where users may inadvertently or maliciously lose funds. The inability to recover funds sent to a zero address can result in a loss of trust in the contract, damaging its reputation and usability. The financial consequences can be severe, especially if a significant amount of funds are involved.

Proof of Concept

function _withdraw(address _to, uint256 _amount) internal {

// Missing validation for _to

require(_to != address(0), "Invalid address: zero address not allowed");

// Transfer funds logic

payable(_to).transfer(_amount);

}

In the above example, the _withdraw function should include a check to ensure that _to is not a zero address.

Recommendations

To address this vulnerability, input validation checks should be implemented wherever user inputs are received. Specifically, the contract should enforce that addresses passed to critical functions must not be zero addresses. Here's a code snippet demonstrating the fix:

function _withdraw(address _to, uint256 _amount) internal {

require(_to != address(0), "Invalid address: zero address not allowed");

// Proceed with the transfer

payable(_to).transfer(_amount);

}

Updates

Lead Judging Commences

inallhonesty Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

699

29 USDC / LOC

High Medium

19,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.