Submission Details
Severity:
Unlimited access to the `SablierFlow::withdraw()` function
Summary
Currently, anyone can withdraw funds to the recipient address, but the recipient may prefer to receive funds at a different address.
Vulnerability Details
There is a possibility that the recipient's address is compromised and the recipient wants to withdraw funds to an external address, but the sender or someone else may transfer the funds to the recipient's to address before this, resulting in the loss of funds.
Impact
User may lose funds.
PoC
SablierFlow::_withdraw():
// Check: `msg.sender` is neither the stream's recipient nor an approved third party, the withdrawal address
// must be the recipient.
if (to != _ownerOf(streamId) && !_isCallerStreamRecipientOrApproved(streamId)) {
revert Errors.SablierFlow_WithdrawalAddressNotRecipient({ streamId: streamId, caller: msg.sender, to: to });
Tools Used
Manual review.
Recommendations
Modify the check in the SablierFlow::_withdraw():
// Check: `msg.sender` is neither the stream's recipient nor an approved third party, the withdrawal address
// must be the recipient.
- if (to != _ownerOf(streamId) && !_isCallerStreamRecipientOrApproved(streamId)) {
+ if (!_isCallerStreamRecipientOrApproved(streamId)) {
revert Errors.SablierFlow_WithdrawalAddressNotRecipient({ streamId: streamId, caller: msg.sender, to: to });
}
Prize pool breakdown
Total prize
20,000 USDC
nSLOC
69929 USDC / LOC
19,000 USDC
1,000 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.