When withdrawing funds,must ensure that streamId is not void
Summary
When withdrawing funds,must ensure that streamId is not void
Vulnerability Details
https://github.com/Cyfrin/2024-10-sablier/blob/main/src/SablierFlow.sol#L418-L427
https://github.com/Cyfrin/2024-10-sablier/blob/main/src/SablierFlow.sol#L435-L443
In contract design, voided usually means that the process has been terminated and any related operations (such as withdrawals) are no longer allowed. Other functions have this restriction, and the withdraw and withdrawMax functions should also pass the notVoided restriction. The withdrawal function can be consistent with the overall business logic of the contract.
Impact
• Risk: A voided stream usually means that the stream has been canceled or is no longer valid, and the funds should be frozen or cleared. Without the notVoided modifier, users may continue to withdraw funds from voided streams.
Tools Used
Manual review
Recommendations
To fix this, you can add the notVoided modifier to the withdrawal function to check if the stream is valid before performing the withdrawal. This fix ensures that all streams must be in a valid state before a withdrawal operation is allowed.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.