Flow

Sablier
FoundryDeFi
20,000 USDC
View results
Submission Details
Severity: medium
Invalid

DOS Vector in Stream Withdrawal Due to Precision Loss

Summary

The _withdraw function performs an invariant check that compares debt and balance differences using asymmetric scaling operations. The left side of the comparison undergoes two descaling operations while the right side uses raw values, potentially causing precision mismatches and assertion failures.

https://github.com/Cyfrin/2024-10-sablier/blob/8a2eac7a916080f2022527408b004578b21c51d0/src/SablierFlow.sol#L866

assert(totalDebt - _totalDebtOf(streamId) == balance - _streams[streamId].balance);

Vulnerability Details

The assertion in the withdraw function checks the consistency between the change in total debt and the stream's balance after a withdrawal:

assert(totalDebt - _totalDebtOf(streamId) == balance - _streams[streamId].balance);

This assertion ensures that the change in total debt (totalDebt - _totalDebtOf(streamId)) should match the change in balance (balance - _streams[streamId].balance). However, the _totalDebtOf(streamId) function introduces an additional descaling step which is prone to precision loss though minor, causing the assertion to fail under certain conditions.

Even a small discrepancy caused by rounding errors in the descaling process results in the assertion failing.
The failed assertion reverts the transaction

Impact

Potential denial of service for specific withdrawal amounts

Tools Used

Manual analysis

Recommendations

Add rounding tolerance

Updates

Lead Judging Commences

inallhonesty Lead Judge
9 months ago
inallhonesty Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Appeal created

ro1sharkm Submitter
9 months ago
inallhonesty Lead Judge
9 months ago
inallhonesty Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.