incorrect calculation in covered balance hence wrong withdrawal amount
Summary
It is stated that if the stream balance is less than or equal to total debt , the function should return the stream balance . However , the condition check only compares if the balance is strictly less than the total debt. When the balance equals the total debt , this ommission results in the returning of the total debt instead of the balance , which can lead to unexpected outcomes in calculaions.
Vulnerability Details
this issue is localise to the _covered debt function , which is use to determine the amount of covere debt. It affects downstream functions like Maxwithdrawals calculations which rely on this functions output.When the balance is equal to the total debt , the balance is not returned which shoul be the maxwithdarwal amount.
https://github.com/Cyfrin/2024-10-sablier/blob/main/src/SablierFlow.sol#L467C4-L470C10
Impact
Inaccurate output of total debt calculation : when the balance is exactly equal to the total debt , the function does not return the balance as it is supposed to resulting to unexpected calculations.
test case:
Initialize the stream with a specific balance
make the total debt accumulate to exactly equal to the streams balance
call the
_coveredDebtOffunction and it returnstotalDebtinstead ofbalance.
Tools Used
manual review
Recommendations
update the condition to include equality check
Lead Judging Commences
[INVALID]`_coveredDebtOf` discrepancy between condition and comment `balance < totalDebt`
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.