0xAnmol - The First CouncilNFT holder can drain all the tokens from sablier

[sherlock-admin]

0xAnmol

medium

The First CouncilNFT holder can drain all the tokens from sablier

Summary

The First CouncilNFT holder can drain all the tokens from sablier

Vulnerability Detail

The protocol is supposed to send tokens to the Sablier stream before the minting of the councilMember NFT occurs. If this step is not completed, minting will throw an error with ERC20: InsufficientBalance due to a balance of 0 in the Sablier _target address.

In this scenario, if the NFT is minted individually then, the first NFT holder can call retrieve multiple times increasing its TEL balance and draining the streaming funds.

Steps protocol send 1000 TEL to sablier stream mint councilMember NFT to user- A user - A calls retrieve multiple times frontrunning all other mint transactions balances[0] = 1000 TEL

Impact

Initial members can drain all the streaming funds.

Code Snippet

https://github.com/sherlock-audit/2024-01-telcoin/blob/0954297f4fefac82d45a79c73f3a4b8eb25f10e9/telcoin-audit/contracts/sablier/core/CouncilMember.sol#L82

Tool used

Manual Review

Recommendation

The rewards should be streamed per second bases rather than streaming when retrieve is called.

[sherlock-admin2]

1 comment(s) were left on this issue during the judging contest.

takarez commented:

invalid because { This is invalid as the first call to retrieve will send the max token available making it impossible to call multiple times as the watson explain}

[nevillehuang]

Invalid, if there is only one council elected, then sure they can retrieve what they deserve. In addition, it is up to owner() to transfer delegated rewards