Flow

Sablier

FoundryDeFi

20,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Visibility Specifiers Vulnerability

hackz

Summary

Inadequate specification of visibility for functions in the SablierFlow.sol contract can lead to unintended access to sensitive functions, potentially allowing malicious actors to interact with the contract in unintended ways.

Finding Description

The contract contains several functions that do not explicitly declare their visibility as internal, private, or public. Without clear visibility specifiers, there is a risk that external contracts or users may call these functions unintentionally. This could lead to unauthorized state changes, security breaches, or the mismanagement of funds. Proper visibility specifiers are essential in Solidity to ensure that only intended callers can access certain functions.

This vulnerability breaks the security guarantees provided by access control mechanisms in the contract, allowing for unauthorized function calls that could manipulate internal state or perform critical operations without appropriate permissions.

Malicious Input Propagation

For example, if a function designed for internal management of state variables is publicly accessible, a malicious user or contract could invoke it, leading to unintended consequences. This could include changing balances, triggering transfers, or altering crucial parameters of the contract.

Vulnerability Details

The affected functions should explicitly define their visibility:

Functions intended to be called only from within the contract or derived contracts should use the internal keyword.
Functions that should only be accessible from within the contract itself should be marked as private.
Functions meant for external interaction should clearly be declared as public.

Impact

The impact of this vulnerability is categorized as Medium Severity. While it may not lead to immediate catastrophic failure of the contract, the potential for unauthorized access could compromise the integrity of the contract's state and logic. Proper access control is a foundational aspect of smart contract security, and neglecting visibility specifiers increases the attack surface of the contract.

Proof of Concept

// Example of a function without visibility specifier

function updateBalance(address user, uint256 amount) {

// Logic to update user's balance

}

// Recommended fix

// Marking the function as internal to prevent external calls

function updateBalance(address user, uint256 amount) internal {

// Logic to update user's balance

}

Updates

Lead Judging Commences

inallhonesty Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Lack of quality

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

699

29 USDC / LOC

High Medium

19,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.