Flow
Sablier
FoundryDeFi
20,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

`protocolFeeAmount` isn't included with the `aggregateBalance` in the `_withdraw()`

oxtenma

Vulnerability Details

The function withdraw() is used to withdraw the provided `amount` minus the protocol fee to the provided `to` address. A protocol fee may be charged on the withdrawn amount if protocol fee is enabled for the streaming token.

Now, one of the protocol invariant is that the ∑ stream balances + protocol revenue = aggregate balance

function _withdraw(
uint256 streamId,
address to,
uint128 amount
)
internal
returns (uint128 withdrawnAmount, uint128 protocolFeeAmount)
{
...
...
if (protocolFee > ZERO) {
// Calculate the protocol fee amount and the net withdraw amount.
(protocolFeeAmount, amount) = Helpers.calculateAmountsFromFee({ totalAmount: amount, fee: protocolFee });
// Safe to use unchecked because addition cannot overflow.
unchecked {
// Effect: update the protocol revenue.
protocolRevenue[token] += protocolFeeAmount;
}
}
// @audit protocolFeeAmount isn't included from aggreatedBalance
...
...
}

From the implementation of the _withdraw(), we can see that the protocol fee isn't added to the stream balance and updated the aggregated balance which is break the invariant as revenue will increase but it is not reflected in the protocol aggregated balance.

Impact

Accounting of agregatedBalancewill be incorrect and one of main invariant of the protocol will be broken.

Tools Used

Manual Review

Recommendations

We recommend adding the protocol revenue to the aggregated amount on caliing _withdraw().

Updates

Lead Judging Commences

inallhonesty Lead Judge
10 months ago
inallhonesty Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.