Flow

Sablier

FoundryDeFi

20,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Recipients can evade protocolFee by withdrawing small amounts at a time

synccode2017

Summary

The `protocolFeeAmount` is calculated as a percentage of the withdrawal amount of a receipient. In order to bypass the `protocolFeeAmount`, the receipient can withdraw very small amounts at a time, small enough to ensure that the `protocolFeeAmount` is rounded dowmn to zero. Of course he will pay more gas fees but fees on some EVM chains (layer 2s) can be low enough to make this transaction profitable.

Vulnerability Details

The proof of concept below shows a case of a receipient withdrawing 99wei at a time and the protocolFeeAmount charged on the withdrawal is 0. The percentage protocolFee used is 1%. Solidity rounds down 1% of 99wei to 0 that's the reason this withdrawal was successful.

```solidity

// -------------------------- withdraw/withdraw.t.sol -----------------------------------

function test_WithdrawalWithoutFeePayment_Audit()

external

whenNoDelegateCall

givenNotNull

whenAmountNotZero

whenWithdrawalAddressNotZero

whenWithdrawalAddressOwner

whenAmountNotOverdraw

whenAmountEqualTotalDebt

{

// Go back to the starting point.

vm.warp({ newTimestamp: OCT_1_2024 });

resetPrank({ msgSender: users.sender });

// Create the stream and make a deposit.

uint256 streamId = createDefaultStream(tokenWithProtocolFee);

deposit(streamId, DEPOSIT_AMOUNT_6D);

// Simulate the one month of streaming.

vm.warp({ newTimestamp: WARP_ONE_MONTH });

// Make recipient the caller test.

resetPrank({ msgSender: users.recipient });

// Withdraw 99 Wei. protocolFee is 1%

// protocolFeeAmount is roundDown(99 * 0.01 = 0.99) = 0.

_test_Withdraw({

streamId: streamId,

to: users.recipient,

depositAmount: DEPOSIT_AMOUNT_6D,

protocolFeeAmount: 0,

withdrawAmount: 99

});

}

```

Please copy the code above into the stated file and run it.

Impact

The protocol will lose fees.

Tools Used

manual review

Recommendations

Define minimum withdrawal amount so that `protocolFeeAmount` will always be greater than 0 when percentage `protocolFee` is greater than 0.

Updates

Lead Judging Commences

inallhonesty Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

inallhonesty Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

699

29 USDC / LOC

High Medium

19,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.