Flow

Sablier

FoundryDeFi

20,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Incorrect Condition prevent Transfers for Streams with from as Zero Address, lead to mint the token for address zero

aua_oo7

Summary

Vulnerability Details

https://github.com/Cyfrin/2024-10-sablier/blob/8a2eac7a916080f2022527408b004578b21c51d0/src/abstracts/SablierFlowBase.sol#L312-L330

The _update function is intended to override the {ERC-721._update} function, ensuring that streams marked as non-transferable cannot be transferred. According to the function documentation, if the from address is the zero address, the transfer is allowed since it indicates a minting operation. However, the current if condition appears reversed; it checks whether from is not zero and then reverts if the stream is non-transferable. This creates a scenario where streams with from as zero could bypass the non-transferable restriction, which may lead to unintended transfers for certain streams, particularly if the check was intended to block transfers in all cases where the stream is not transferable.

Impact

This bug can allow streams that should not be transferable to be transferred, potentially resulting in unauthorized stream recipients and breaking protocol rules regarding transfer restrictions. This inconsistency could also impact the protocol's trust and functionality.

Tools Used

Visual Studio Code

Recommendations

Adjust the if condition to ensure that non-transferable streams cannot be transferred, regardless of the from address, unless it is zero, explicitly indicating a mint. Specifically, consider updating the condition as follows to ensure correct functionality:

```solidity

function _update(

address to,

uint256 streamId,

address auth

)

internal

override

updateMetadata(streamId)

returns (address)

{

address from = _ownerOf(streamId);

-- if (from != address(0) && !_streams[streamId].isTransferable) {

-- revert Errors.SablierFlowBase_NotTransferable(streamId);

-- }

++ if(from == address(0) || ! _streams\[streamId].isTransferable) {

++ revert Errors.SablierFlowBase\_NotTransferable(streamId);

++ }

++ if(to == address(0)) {

++ revert Errors.SablierFlowBase_NotTransferToAddressZero();

++ }

return super._update(to, streamId, auth);

}

```

This modification ensures that transfers are only allowed when from is zero (indicating a mint) or when the stream is explicitly marked as transferable.

Updates

Lead Judging Commences

inallhonesty Lead Judge 11 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

699

29 USDC / LOC

High Medium

19,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.