Flow
Sablier
FoundryDeFi
20,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Missing Implementation of aggregateBalance Function Despite Declaration

pndukwo

Summary

The aggregateBalance function is declared in the interface and a corresponding mapping (mapping(IERC20 token => uint256 amount)) exists in SablierFlowBase.so,

mapping(IERC20 token => uint256 amount) public override aggregateBalance;

But there is no implementation of the function in anywhere in the contract. This omission prevents users from retrieving the total balance of all streams for a specified ERC-20 token, leading to potential confusion and lack of transparency in the protocol.

Vulnerability Details

https://github.com/Cyfrin/2024-10-sablier/blob/8a2eac7a916080f2022527408b004578b21c51d0/src/abstracts/SablierFlowBase.sol#L34C5-L35C1

https://github.com/Cyfrin/2024-10-sablier/blob/8a2eac7a916080f2022527408b004578b21c51d0/src/interfaces/ISablierFlowBase.sol#L63C5-L64C1

There is no implementation function to retrieve aggregate balance but the function was declared in the interface and mapping was also declared in the implementation contract. This oversight can lead to serious issues. While the mapping can be updated internally, the lack of a retrieval function prevents users from effectively accessing the updated information.

Impact

• Functionality Loss: Users are unable to query the total balance of streams for a given token, severely limiting their ability to assess the liquidity available within the protocol.
• Potential Errors in Financial Calculations: If other parts of the code rely on the output of aggregateBalance for calculation, those parts could fail or produce incorrect results, leading to further issues in the system.

Specific Code Impact:

  1. In the _deposit Function:

unchecked {
// Effect: update the aggregate balance.
aggregateBalance[token] += amount;
}

◦ No Actual Update to Aggregate Balance: The absence of implementation means this line does not perform its intended action. While the mapping can be updated internally, the lack of a retrieval function prevents users from effectively accessing the updated information.

◦ Misleading Data: Users querying the total balance would see outdated values, misinforming them about available funds.

◦ Potential Conflicts: Other functions relying on aggregateBalance may produce incorrect results, creating inconsistencies throughout the protocol.

  1. In the Refund Function:

unchecked {
// Effect: update the aggregate balance.
aggregateBalance[token] += amount;
}

◦ Incorrect Refund Logic: Missing implementation means refunds do not adjust the total available balance, potentially leading to liquidity issues.

◦ Confusion During Withdrawals: Users might face unexpected behaviors when trying to withdraw funds based on inaccurate balance information.

◦ Financial Implications: Inaccurate balance updates could result in revenue loss or miscalculations of available funds for various stakeholders.

Tools Used

Manual analysis

Recommendations

Recommended Mitigation Steps:
Implement the aggregateBalance Function: Develop and integrate the implementation for the aggregateBalance function to accurately calculate and return the total balance of all streams for a specified token.

Updates

Lead Judging Commences

inallhonesty Lead Judge 8 months ago
Submission Judgement Published
Invalidated
Reason: Lack of quality

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.