Flow

Sablier

FoundryDeFi

20,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

Protocol Admin Can Manipulate Stream NFT Metadata

ethworker

Description:

The protocol admin has the ability to arbitrarily change the NFT descriptor contract, allowing them to manipulate the metadata of all existing stream NFTs. This could be used to trick users about the state of their streams or lure them into interacting with malicious contracts.

Summary:

The setNFTDescriptor function in SablierFlowBase allows the protocol admin to update the NFT descriptor contract at any time. This gives the admin complete control over the metadata and appearance of all stream NFTs. By setting a malicious NFT descriptor, the admin could deceive users or lead them to approve malicious transactions, resulting in loss of funds.

Vulnerability Details:

The vulnerability is located in the setNFTDescriptor function of SablierFlowBase.sol:

function setNFTDescriptor(IFlowNFTDescriptor newNFTDescriptor) external override onlyAdmin {

// Effect: set the NFT descriptor.

IFlowNFTDescriptor oldNftDescriptor = nftDescriptor;

nftDescriptor = newNFTDescriptor;

// Log the change of the NFT descriptor.

emit SetNFTDescriptor(admin, oldNftDescriptor, newNFTDescriptor);

// Refresh the NFT metadata for all streams.

emit BatchMetadataUpdate(_fromTokenId: 1, _toTokenId: nextStreamId - 1);

}

The tokenURI function used to fetch NFT metadata simply calls the tokenURI of the current NFT descriptor:

function tokenURI(uint256 streamId) public view override(IERC721Metadata, ERC721) returns (string memory uri) {

uri = nftDescriptor.tokenURI(this, streamId);

}

An malicious admin could deploy a NFT descriptor that returns misleading or harmful metadata. For example, the metadata could display an incorrect stream balance, causing the user to believe they are owed more than in reality. Or it could include a link that, when interacted with, tricks the user into approving a malicious spend.

Impact:

High. The protocol admin can unilaterally change what all users see when viewing their stream NFTs. This could be used to deceive users at scale, resulting in significant loss of funds. As many interfaces and third-party tools rely on the NFT metadata, the potential impact is amplified. Even if the current admin is trusted, the centralized control is a risk as a compromised admin account could wreak havoc.

Tools Used: Manual code review

Recommendations:

Consider making the NFT descriptor immutable once set at contract deployment. This would ensure stream NFT appearance cannot unexpectedly change.
If an upgradeable NFT descriptor is needed, put the upgrade behind a timelock to allow users time to react.
Allow individual stream owners to opt out of descriptor upgrades for their streams.
Include on-chain verification in the tokenURI function to confirm returned metadata matches actual on-chain stream state. This could help catch malicious descriptors.
Clearly warn users about centralized control over NFT appearance and advise caution when relying on NFT metadata.

Updates

Lead Judging Commences

inallhonesty Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

inallhonesty Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

699

29 USDC / LOC

High Medium

19,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.