Flow

Sablier

FoundryDeFi

20,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Comment-Code Mismatch in Sablier's _coveredDebtOf Function Creates Maintenance Risk and Code Comprehension Issues

cheatc0d33

Summary

There is a comment-code inconsistency in _coveredDebtOf where the comment states the if-condition handles both "less than or equal to" cases, but the code only handles "less than" with balance < totalDebt. While mathematically sound due to value equivalence when balance equals totalDebt, this discrepancy between documented and implemented behavior creates a maintenance hazard in a critical function that determines stream payout capabilities and solvency status.

function _coveredDebtOf(uint256 streamId) internal view returns (uint128) {

uint128 balance = _streams[streamId].balance;

if (balance == 0) {

return 0;

}

uint256 totalDebt = _totalDebtOf(streamId);

// Comment claims to handle "less than or equal" case

// If the stream balance is less than or equal to the total debt, return the stream balance.

if (balance < totalDebt) { // But code only handles "less than" case!

return balance;

}

// At this point, the total debt fits within `uint128`...

return totalDebt.toUint128();

}

The issue here is a mismatch between the comment's specification and the actual code behavior:

Case Analysis:

Case 1: balance < totalDebt

- Comment says: return balance

- Code does: return balance

- ✅ Matches

Case 2: balance == totalDebt

- Comment says: return balance

- Code does: return totalDebt.toUint128()

- ❌ Mismatch (although values are equal!)

Case 3: balance > totalDebt

- Comment says: not specified

- Code does: return totalDebt.toUint128()

- ✅ Correct behavior

Why This Matters:

When balance equals totalDebt both paths would mathematically yield the same result because:

if balance == totalDebt:
Path 1 (if block): returns balance
Path 2 (else block): returns totalDebt.toUint128()
// These are equivalent values!
However, the comment is still incorrect because it claims the if-block handles both cases when it only handles the "less than" case.

Example Test Case Demonstrating the Issue:

function testCoveredDebtEqualCase() public {

// Setup stream with balance == totalDebt == 100

uint128 balance = 100;

uint256 totalDebt = 100;

// Both paths give same result but follow different code paths

uint128 result = _coveredDebtOf(streamId);

// Result is correct (100) but got there through path not matching comment

// More importantly, future devs might misunderstand the logic flow when debugging

}

Impact

The impact of this comment-code mismatch in _coveredDebtOf manifests in maintenance risk and code comprehension challenges. When developers debug or modify streaming payment logic that relies on covered debt calculations, the misleading comment about handling "less than or equal" cases could cause them to misunderstand the execution flow. While both code paths yield mathematically equivalent results when balance equals totalDebt (since returning either balance or totalDebt.toUint128() gives the same value), a developer might inadvertently introduce bugs by building new features or fixes based on the incorrect assumption about which path handles the equality case. Though not a security issue due to mathematical equivalence, this discrepancy erodes code maintainability and increases the cognitive overhead during future protocol modifications.

Fix

Proper Fix - Option 1 (Fix code to match comment):

function _coveredDebtOf(uint256 streamId) internal view returns (uint128) {

uint128 balance = _streams[streamId].balance;

if (balance == 0) {

return 0;

}

uint256 totalDebt = _totalDebtOf(streamId);

// Now matches comment

if (balance <= totalDebt) {

return balance;

}

return totalDebt.toUint128();

}

Proper Fix - Option 2 (Fix comment to match code):

function _coveredDebtOf(uint256 streamId) internal view returns (uint128) {

uint128 balance = _streams[streamId].balance;

if (balance == 0) {

return 0;

}

uint256 totalDebt = _totalDebtOf(streamId);

// If the stream balance is less than the total debt, return the stream balance

if (balance < totalDebt) {

return balance;

}

// If balance >= totalDebt, return the total debt amount

return totalDebt.toUint128();

}

While this is not a security vulnerability (both paths produce mathematically correct results), it's a code clarity issue that:

Could confuse developers during maintenance
Makes code review more difficult
Could lead to bugs if future modifications assume the comment is correct
Violates the principle that comments should accurately describe code behavior

Best practice would be to align the comment with the actual code behavior since the current implementation is mathematically sound and slightly more gas efficient by avoiding an extra equality check.

Updates

Lead Judging Commences

inallhonesty Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Assigned finding tags:

[INVALID]`_coveredDebtOf` discrepancy between condition and comment `balance < totalDebt`

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

699

29 USDC / LOC

High Medium

19,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.