Divide-by-Zero Vulnerability in `depletionTimeOf` Function
Github
Summary
A critical vulnerability exists in the depletionTimeOf function in the SablierFlow contract, which can lead to an unintended divide-by-zero error. The issue arises because the function does not check if a stream is voided before calculating the depletionTime. When a stream is voided, its ratePerSecond is set to zero. This zero value, if used as a divisor in the function, causes the function to revert unexpectedly, disrupting user operations and contract flow.
Vulnerability Details
In the depletionTimeOf function, there is a calculation involving the variable solvencyPeriod, which divides solvencyAmount by _streams[streamId].ratePerSecond. If a stream is voided, ratePerSecond is set to zero. However, the function does not currently check if the stream is voided before proceeding with the division. When ratePerSecond is zero, a divide-by-zero error occurs, causing the transaction to revert.
The code snippet showing the issue is as follows:
Impact
Any call to depletionTimeOf on a voided stream will revert due to the divide-by-zero error, causing a disruption for users trying to retrieve information about their streams. The lack of robust error handling in the function makes the contract less reliable and could cause confusion for users.
Tools Used
Manual Review
Recommendations
Modify the depletionTimeOf function to include a check for voided streams or zero value of ratePerSecond. The function should return 0 for depletionTime without performing any further calculations.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.