Closed sherlock-admin2 closed 5 months ago
1 comment(s) were left on this issue during the judging contest.
takarez commented:
valid because { I consider this as a high valid issue; the watson was able to explained how some functions in the councilMembers.sol will not function due the calling of _retrieve function in them; he also explain that its cause due the use of withdrawMax in the external contract that withdraws the max amount that is in the contract; and also the same ocntract disallow withdrawal of zero amount; which means a subsequent call to the retrieve function will revert and not work until there is an amount more than zero}
Ignite
high
DoS in _retrieve() function if the withdrawal from the Sablier is zero
Summary
When the
_retrieve()
function is called, if the withdrawal amount from the Sablier is zero, the_retrieve()
function will always be reverted.Vulnerability Detail
The
_retrieve()
function is used to retrieve and distribute TELCOIN to council members based on the stream from_target
, in this example I assume the_target
was Sablier stream.At lines 271-279, this function will execute the withdrawal from the Sablier stream by calling the
withdrawMax()
function.By invoking the
_retrieve()
function, the maximum withdrawable amount is withdrawn from the stream. Consequently, there is no remaining withdrawal amount for theCouncilMember
contract, leading to the next withdrawal from this contract having a maximum amount of zero according to the Sablier documentation:(https://docs.sablier.com/contracts/v2/reference/core/abstracts/abstract.SablierV2Lockup#withdrawmax)https://github.com/sablier-labs/v2-core/blob/b0016437ef3cc8606e1100965dd911d7e658b40b/src/abstracts/SablierV2Lockup.sol#L297-L299
However, if the
_retrieve()
function is called again, it callswithdrawMax()
with zero amounts, causing the function to revert according to the Sablier documentation: (https://docs.sablier.com/contracts/v2/reference/core/abstracts/abstract.SablierV2Lockup#withdraw)https://github.com/sablier-labs/v2-core/blob/b0016437ef3cc8606e1100965dd911d7e658b40b/src/abstracts/SablierV2Lockup.sol#L269-L272
As a result, the
_retrieve()
function will revert during the second invocation when attempting to withdraw zero amounts.Additionally, the
_retrieve()
function is highly likely to be called since most functions in theCouncilMember
contract execute this function before their operation.Impact
If the withdraw amount of
CouncilMember
contract is zero, most of function inCouncilMember
contract that callretrieve()
function will failed.Code Snippet
https://github.com/sherlock-audit/2024-01-telcoin/blob/main/telcoin-audit/contracts/sablier/core/CouncilMember.sol#L270-L279
Tool used
Manual Review
Recommendation
Skipping the withdraw from Sabiler if the withdraw amount is zero.
Duplicate of #47