Flow
Sablier
FoundryDeFi
20,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

A sender cannot be a receiver while creating streams

p4y4bl3

Summary

It doesn't make sense to create a stream between sender and receiver as same address. So a malicious actor will create many streams by giving same sender address as receiver

Vulnerability Details

https://github.com/Cyfrin/2024-10-sablier/blob/8a2eac7a916080f2022527408b004578b21c51d0/src/SablierFlow.sol#L216

In SablierFlow.sol::create() a user can create a stream between any two entities. A malicious person will spam the protocol by creating infinite no of streams by giving same sender address as receiver. In some cases a sender can give same receiver address by mistake. In this scenario it doesn't make sense to create a stream like that.

Impact

So a malicious attacker can create many no of streams as sender and receiver as his address and will spam the protocol as there is no finanical loss to the attacker to do so.

Tools Used

Manual Inspection

Recommendations

Add a check in SablierFlow.sol::_create() as sender and receiver shouldn't be same

function _create(
address sender,
address recipient,
UD21x18 ratePerSecond,
IERC20 token,
bool transferable
)
internal
returns (uint256 streamId)
{
require(sender != recipient, "sender shouldn't be a receiver");
....
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Appeal created

p4y4bl3 Submitter
9 months ago
inallhonesty Lead Judge
9 months ago
inallhonesty Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.