Flow

Summary

While ISablierFlowBase interface inherits IERC4906 from OpenZeppelin Contracts library, neither SablierFlowBase nor SablierFlow contracts implement supportsInterface method as required by EIP-4906 specification.

Vulnerability Details

ISablierFlowBase interface inherits IERC4906 (ISablierFlowBase.sol#L19):

The SablierFlow contract intends to notify of possible metadata changes by emitting MetadataUpdate events through the updateMetadata modifier when the stream parameters change. Additionally, it emits BatchMetadataUpdate when a new IFlowNFTDescriptor is set (SablierFlowBase.sol#L258) or the protocol fee is updated (SablierFlowBase.sol#L282).

However, neither the SablierFlowBase nor the SablierFlow contracts contain an overridden supportsInterface method, effectively using the original method as implemented in the ERC721 contract and ignoring the EIP-4906 specification requirement:

The supportsInterface method MUST return true when called with 0x49064906.

Impact

The dynamic nature of Flow NFT metadata will require proper integration with NFT marketplaces and other protocols to respond to metadata updates. This integration could be compromised because they rely on supportsInterface to return true when asked about support for the 0x49064906 interface. The result of this discrepancy will be that users of those protocols may be misled by stale metadata, potentially leading to financial losses.

While the current NFT descriptor returns static metadata, this is subject to change, as it can be updated to a new, advanced implementation that returns dynamic graphics, as mentioned by the sponsor in the kickoff video at 21:02 - https://youtu.be/84-qUk22F74?t=1261.

Nevertheless, because the SablierFlowBase and SablierFlow contracts are immutable, it is important to address this issue immediately without compromising future functionality.

Tools Used

Manual Review

Recommendations

Implement supportsInterface() function in SablierFlowBase.sol as per EIP-4906 reference implementation: