Flow

Sablier

FoundryDeFi

20,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Missing minimum rate of Transfer of Token may grief the Recipient.

topptiger

Summary

The Recipient might be expecting the transfer of tokens to take place at some reasonable rate but the sender can unilaterally alter the _streams[streamId].ratePerSecond to a rate which is not acceptable to a recipient at point of streaming.

Vulnerability Details

suppose the recipient is expecting to receive tokens from the sender at the rate of 1e18 Token per second and the sender initially agrees to it but as the sender piles up a lot of debt he acts maliciously and decreases the rate of transfer unilaterally to 1 Token per second with the intention of delaying the transfer to a very long time in the future.

For example in the above case it will take 1.1574074e13 days to transfer 1e18 token which the recipient was expecting to be transferred in 1 second.

Impact

This has the potential to render the protocol ineffective from the recipients point of view and a sender can grief him.

Tools Used

Manual Review.

Recommendations

In dataTypes.Flow.Streamstruct add the following line :

uint128 balance; // token decimals

UD21x18 ratePerSecond; // 18 decimals

+ UD21x18 minRatePerSecond;

// slot 1

address sender;

uint40 snapshotTime;

bool isStream;

and in sablierFlow._adjustRatePerSecondadd the following lines :

function _adjustRatePerSecond(uint256 streamId, UD21x18 newRatePerSecond) internal {

// Check: the new rate per second is different from the current rate per second.

if (newRatePerSecond.unwrap() == _streams[streamId].ratePerSecond.unwrap()) {

revert Errors.SablierFlow_RatePerSecondNotDifferent(streamId, newRatePerSecond);

}

+ if (newRatePerSecond.unwrap() < _streams[streamId].minratePerSecond.unwrap()) {

+ revert();

+ }

Updates

Lead Judging Commences

inallhonesty Lead Judge 9 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

699

29 USDC / LOC

High Medium

19,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.