Flow
Sablier
FoundryDeFi
20,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

stream sender can prevent users from viewing depletion time of stream by front-running

0xmsf14

Summary

For whatever reason a user might want to see a depletion time of a stream, they should be able to, by calling the depletionTimeOf(streamId) , however, this function can be bricked by pausing which is controlled by sender and can be done for malicious reasons.

Vulnerability Details

a user calls the depletion time of to become informed about whether contributing to a stream might be a good idea or good timing, this function can be disabled by a sender simply pausing the stream causing the function to revert.

`user calls -> depletionTimeOf -> sender frontruns pausing the flow stream before the call is executed`

Impact

users will not be able to use the depletionTime function for as long as the sender decides.

Tools Used

Manual review

Recommendations

depletion time should be calculated in a way that accomodates 0 flow stream rates and does not revert as a view function

Updates

Lead Judging Commences

inallhonesty Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
inallhonesty Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Appeal created

0xmsf14 Submitter
10 months ago
inallhonesty Lead Judge
10 months ago
inallhonesty Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.