Flow

Sablier

FoundryDeFi

20,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Bypassing fee with refund

lanrebayode77

Summary

Streams could be used for various purpose which inclue raiaing funds for payment/business/project/crowdfunding. If used for crowdfunding, stream creator could use a very negligible amount as ratePerSecond to make total debt negligible as well(no matter the duration).

Vulnerability Details

Instance

Alice creates a stream to crowfund a project, so multiple parties can deposit to the stream.
After a year of deposit, 1,000,000 USDC was accumulated by the stream
31,536,000 seconds(1 year) have passed, if only 1wei was used as the ratePerSecond, less than 1_USDC of debt would have been generated.
Sender then calls refund which fails to charge protocl fee before sending back the entire raised amount to the sender.

Impact

Protol would lose fees, if most streamers operates in this manner.

Tools Used

Manual review.

Recommendations

Deduct fees from refund.

Updates

Lead Judging Commences

inallhonesty Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Known issue

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

699

29 USDC / LOC

High Medium

19,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.