Stream Voiding Race Condition Leading to Excess Token Withdrawals
Summary
The `_void` function in SablierFlow.sol contains a race condition vulnerability where the total debt calculation and state updates are not atomic. This could allow a recipient to withdraw more tokens than intended during the voiding process.
Vulnerability Details
The debt calculation (`_uncoveredDebtOf`) and state updates are not atomic. So between the debt calculation and the stream being marked as voided, a recipient could do the following:
Notice the void transaction in the mempool
Front-run with a withdrawal
Get more tokens than they should receive based on the final debt calculation
The vulnerability could
-
Stream has 100 tokens balance
-
Sender initiates void transaction
-
Recipient monitors mempool
-
When void transaction is seen:
Recipient front-runs with withdrawal of current withdrawable amount
Void transaction completes with incorrect debt calculationoid transaction completes with incorrect debt calculation
More tokens are withdrawn than should be possible as a result
Impact
Allows unauthorized withdrawal of additional tokens and could drain stream balance beyond intended amount. This exploit requires only mempool monitoring, can be automated and no special permissions needed beyond being stream recipient.
Tools Used
manual code review
Recommendations
Make Void workflow Atomic
As well consider adding a Withdrawal Lock During Void
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.