Flow

Summary

https://github.com/Cyfrin/2024-10-sablier/blob/8a2eac7a916080f2022527408b004578b21c51d0/src/SablierFlow.sol#L254-L273

Vulnerability Details

The deposit function lacks a minimum deposit amount validation, allowing users to deposit extremely low, or "dust," amounts. Since this function is public and can be called externally, malicious users could exploit this by repeatedly sending minuscule amounts to various streams specially for stream with uncover debt which need to deposit to cover debt. This "dust attack" could be used to target uncover debt streams, potentially creating a high volume of low-value transactions.

```solidity

function deposit(

uint256 streamId,

uint128 amount,

address sender,

address recipient

)

external

override

noDelegateCall

notNull(streamId)

notVoided(streamId)

updateMetadata(streamId)

{

_verifyStreamSenderRecipient(streamId, sender, recipient);

// Checks, Effects, and Interactions: deposit on stream.

_deposit(streamId, amount);

}

```

This vulnerability arises because the function doesn’t enforce a minimum deposit threshold, which could result in excessive overhead costs due to additional calls and storage updates. Moreover, a uncover debt stream will be the most under attack. for expample a stream need 1 WETH to cover a debt malicous user deposit a queue of 1 Wei deposit and front run the right deposit transaction, if attacker spend 100k for gas and run a queue of malicious transaction then the real one need to spend 100k for gas to deposit for that stream.

Impact

1- Increased Gas Costs: Dust deposits to the contract may lead to higher gas consumption on each deposit transaction, increasing operational costs for maintaining the stream.

2- Storage Overhead: Frequent dust deposits can clog storage with irrelevant transaction history, which may degrade contract performance over time and lead to unnecessary storage consumption.

3- Potential Denial of Service (DoS): By flooding insolvent streams with uncover debt, with dust deposits, malicious actors can create operational overhead, making it difficult for legitimate users to interact with the contract effectively.

Tools Used

Manual Review, Visual Studio Code

Recommendations

Implement a minimum deposit amount for each token when the protocolFee are set for each token, check within the deposit function. This would prevent deposits below a specified threshold, ensuring only meaningful amounts are processed. Additionally, it would reduce the likelihood of spam deposits and the associated operational overhead. The minimum amount should be carefully selected to balance usability with security.