Flow
Sablier
FoundryDeFi
20,000 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

The use of `decimals()` may not work for all tokens

greed

Summary

When a stream is created, the contract retrieves the token number of decimals using the decimals() function, which is part of the ERC20Metadata standard.

https://github.com/Cyfrin/2024-10-sablier/blob/main/src/SablierFlow.sol#L579

function _create(
address sender,
address recipient,
UD21x18 ratePerSecond,
IERC20 token,
bool transferable
)
internal
returns (uint256 streamId)
{
// Check: the sender is not the zero address.
if (sender == address(0)) {
revert Errors.SablierFlow_SenderZeroAddress();
}
uint8 tokenDecimals = IERC20Metadata(address(token)).decimals();

Vulnerability Details

The issue is that not all ERC20 tokens provide such an interface meaning the call will not work and will revert.

Impact

Some tokens may not be compatible with the protocol

Tools Used

Manual review

Recommendations

Perform a try/catch when retrieving the number of decimals. If the call fails, assume the token has 18 decimals.

The protocol can also allow to manually set the token decimal number as a fallback.

Updates

Lead Judging Commences

inallhonesty Lead Judge 8 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Tokens without the decimals() implementation

Appeal created

inallhonesty Lead Judge
8 months ago
inallhonesty Lead Judge 8 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Tokens without the decimals() implementation

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.