Flow

Sablier

FoundryDeFi

20,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

Lack of Access Control in void Function

0xserpent

Description

location : src/SablierFlow.sol

The void function allows either the sender, the recipient, or an approved third party to void a stream. However, the actual access control in the _void internal function only checks if msg.sender is either the stream's sender or an approved third party. It allows any approved address to void the stream.

code :

function _void(uint256 streamId) internal {

// Check: `msg.sender` is either the stream's sender, recipient or an approved third party.

if (msg.sender != _streams[streamId].sender && !_isCallerStreamRecipientOrApproved(streamId)) {

revert Errors.SablierFlow_Unauthorized({ streamId: streamId, caller: msg.sender });

}

// ... [rest of the function] ...

}

The _isCallerStreamRecipientOrApproved function determines whether the caller is the recipient or an approved address.

There is a potential issue where an approved address (approved for transfer of the NFT token) can void the stream, which might not be intended.

Impact

An approved operator could void a stream without the consent of the sender or recipient, potentially disrupting the payment stream and causing financial loss.

Recommendation

Restrict Access to Void Function: Adjust the access control to ensure only the sender or the recipient can void the stream, unless deliberately intended to allow any approved operator to do so.

If the intended behavior is that only the sender or recipient can void the stream, change the access control check to:

if (msg.sender !=_streams[streamId].sender && msg.sender != _ownerOf(streamId)) {

revert Errors.SablierFlow_Unauthorized({ streamId: streamId, caller: msg.sender });

}

If approved operators should have this ability, document this behavior thoroughly to ensure users are aware.

Updates

Lead Judging Commences

inallhonesty Lead Judge

9 months ago

inallhonesty Lead Judge 9 months ago

Submission Judgement Published

Invalidated

Reason: Design choice

inallhonesty Lead Judge 9 months ago

Submission Judgement Published

Invalidated

Reason: Design choice

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

699

29 USDC / LOC

High Medium

19,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.