Flow

Sablier

FoundryDeFi

20,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Malicious recipients can honeypot other users selling them a stream on an NFT marketplace and ```withdraw``` and ```void``` it right before the purchase happens

kiteweb3

Summary

Malicious recipients can honeypot other users selling them a stream on an NFT marketplace and withdraw and void it right before the purchase happens. This vulnerability occurs when a recipient attempts to sell their NFT on a marketplace but can withdraw and void the associated stream before the NFT sale transaction is confirmed.

Link: https://github.com/Cyfrin/2024-10-sablier/blob/8a2eac7a916080f2022527408b004578b21c51d0/src/SablierFlow.sol#L435-L450

https://github.com/Cyfrin/2024-10-sablier/blob/8a2eac7a916080f2022527408b004578b21c51d0/src/SablierFlow.sol#L405-L414

Vulnerability Details

In the majority of NFT marketplaces such as Opensea and Blur, users can list their NFT by approving it to the marketplace contract. Once the NFT finds a buyer, the marketplace contract transfers the NFT from the owner to the buyer who pays to receive it.

In the Sablier Flow, a stream is represented as an NFT and (if marked as isTransferable = true) can be:

transferred (by the NFT owner): the new NFT owner will be able to withdraw streamed and unclaimed funds.
voided (by the stream sender, the recipient and a third authorized party): the stream sender, the recipient and a third authorized party will be able to set the stream in a state where it won't stream funds anymore (the current owner is still able to withdraw the already streamed funds). A voided stream can't be restarted anymore.

Here is a realistic scenario where a malicious user can honeypot other users to steal their funds.

The recipient puts its streaming NFT with a withdraw amount of 1000 USDC and a ratePerSec = 100 USDC/day up for sale on an NFT marketplace at 3000 USDC (a potential buyer starts earning from streaming NFT after the first month).
The recipient monitors the transactions on the mempool.
When he sees that the NFT is on buy in the mempool, he sends a transaction for withdrawing and voiding the stream with a higher gas than the NTF buying transaction.
The recipient's transaction to withdraw and void the stream is mined before the buy transaction. Then it is mined the buying transaction.
The buyer ends up with an empty stream.

Impact

Loss of funds for the buyer, as they purchase an empty and canceled NFT.

This results in a loss of funds for the victims, profit for the malicious user and loss of trust in the Sablier protocol.

Tools Used

Manual review

Recommendations

Add a check for disabling the transfer of the void stream.

Updates

Lead Judging Commences

inallhonesty Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Appeal created

kiteweb3 Submitter

10 months ago

inallhonesty Lead Judge

10 months ago

inallhonesty Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

699

29 USDC / LOC

High Medium

19,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.