Submission Details
Severity:
Access to the `withdraw` function should be limited
Summary
Anyone can withdraw funds to the recipient address, but the recipient may want to receive funds to any other address.
Vulnerability Details
If the recipient address is compromised, a sender or someone else may still transfer funds to the recipient's designated address. In this situation, the recipient would lose the funds, even though they could have withdrawn them to an external address.
Impact
Funds are indirectly at risk. Although the likelihood is low, the potential impact is high.
PoC
function _withdraw(
uint256 streamId,
address to,
uint128 amount
)
internal
returns (uint128 withdrawnAmount, uint128 protocolFeeAmount)
{
//...
// Check: `msg.sender` is neither the stream's recipient nor an approved third party, the withdrawal address
// must be the recipient.
@> // @audit anyone can specify `to` as a `recipient` address and execute withdrawal
if (to != _ownerOf(streamId) && !_isCallerStreamRecipientOrApproved(streamId)) {
revert Errors.SablierFlow_WithdrawalAddressNotRecipient({ streamId: streamId, caller: msg.sender, to: to });
}
//...
}
Tools Used
Manual review.
Recommendations
It is recommended to restrict access to the withdraw function by modifying the check:
function _withdraw(
uint256 streamId,
address to,
uint128 amount
)
internal
returns (uint128 withdrawnAmount, uint128 protocolFeeAmount)
{
//...
// Check: `msg.sender` is neither the stream's recipient nor an approved third party, the withdrawal address
// must be the recipient.
- if (to != _ownerOf(streamId) && !_isCallerStreamRecipientOrApproved(streamId)) {
+ if (!_isCallerStreamRecipientOrApproved(streamId)) {
revert Errors.SablierFlow_WithdrawalAddressNotRecipient({ streamId: streamId, caller: msg.sender, to: to });
}
//...
}
Prize pool breakdown
Total prize
20,000 USDC
nSLOC
69929 USDC / LOC
19,000 USDC
1,000 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.