Flow

Sablier

FoundryDeFi

20,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

Incorrect Debt Calculation Logic in `depletionTimeOf` Function Leading to Potential Underflow

0xbeastboy

Github

https://github.com/Cyfrin/2024-10-sablier/blob/8a2eac7a916080f2022527408b004578b21c51d0/src/SablierFlow.sol#L92

Summary

In the SablierFlow contract’s depletionTimeOf function, there is an issue with how the function calculates when the stream’s balance will be fully depleted. Specifically, the logic does not properly handle situations where the recorded debt (stored in snapshotDebtScaled) is greater than the stream’s balance. This can lead to an “underflow” error that results in the calculation showing an extremely high and incorrect depletion time. This issue can create serious problems by breaking the contract’s expected behavior, making funds seem like they will last indefinitely, even when they are close to depletion.

Vulnerability Details

The function depletionTimeOf is intended to calculate the exact time when the stream balance will run out based on the rate at which tokens are deducted. The issue lies in how it handles situations when:

A snapshot has been taken earlier, capturing the debt at that time.
Then, a withdrawal occurs, reducing the stream’s balance.

This situation makes it possible for the recorded debt (snapshotDebtScaled) to be higher than the current balance (balanceScaled).

The calculation inside the function currently looks like this:

uint256 solvencyAmount = balanceScaled - snapshotDebtScaled + oneMVTScaled;

When balanceScaled is smaller than snapshotDebtScaled + oneMVTScaled, this subtraction underflows. Instead of a negative result (which Solidity doesn’t support), the value wraps around to a very high positive number (close to type(uint256).max). This unchecked math error results in an incorrect and extremely high depletion time.

Impact

Due to the underflow error, the depletion time is set to an unreasonably large future timestamp, making it appear as if the balance will never run out. This misleads the contract’s users or dependent systems, who expect accurate information about when funds will be depleted.

Any other part of the contract or external contracts relying on depletionTimeOf for financial flows, automatic payments, or specific triggers will not work as expected. This can lead to serious inconsistencies, such as funds remaining locked longer than intended or payouts not being triggered correctly.

Tools Used

Manual Review

Recommendations

Adding a check to prevent snapshotDebtScaled from exceeding balanceScaled can fix this issue.

Updates

Lead Judging Commences

inallhonesty Lead Judge

10 months ago

inallhonesty Lead Judge 9 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

699

29 USDC / LOC

High Medium

19,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.