Double Accounting Of EXA Reserves While Canceling a Vest
Summary
When a user cancels his vest ,the EXA he put up as reserves is returned back , but this is transfer of EXA reserves is accounted twice and thus user receives twice the reserves he put up.
Vulnerability Detail
Let's break down the cancel function ->
1.) A user wants to cancel his vest , calls cancel() with the streamIds for his vests.
This issue is invalid because the callback onStreamCanceled will only be called if the stream was canceled directly through Sablier and not via EscrowedEXA::cancel.
sakshamguruji
high
Double Accounting Of EXA Reserves While Canceling a Vest
Summary
When a user cancels his vest ,the EXA he put up as reserves is returned back , but this is transfer of EXA reserves is accounted twice and thus user receives twice the reserves he put up.
Vulnerability Detail
Let's break down the cancel function ->
1.) A user wants to cancel his vest , calls
cancel()
with the streamIds for his vests.https://github.com/sherlock-audit/2024-04-interest-rate-model/blob/main/protocol/contracts/periphery/EscrowedEXA.sol#L133
2.) It is made sure the recipient of the vest is the msg.sender
3.)
streamReserves
are calculated adding up all the reserves for the streamIds (summing up all the reserve amounts for the user's vests).4.) Then the sablier's cancel function is called , that function invokes a callback function i.e.
onStreamCanceled()
5.) That function https://github.com/sherlock-audit/2024-04-interest-rate-model/blob/main/protocol/contracts/periphery/EscrowedEXA.sol#L188-L192
calls
returnReserves()
at L192 and that function ->We can see that the streamId's reserve is returned/transferred here.
6.) Therefore in the for loop at L135 , all the reserves associated with the streamIds would be returned to the recipient.
7.) But , at L147 here https://github.com/sherlock-audit/2024-04-interest-rate-model/blob/main/protocol/contracts/periphery/EscrowedEXA.sol#L147 we again transfer the
streamReserves
(summation of all reserves) to the recipients , leading to recipient receiving twice the reserves he should have.Impact
The recipient would always receive twice the number of reserves he should have received due to double accounting.
Code Snippet
https://github.com/sherlock-audit/2024-04-interest-rate-model/blob/main/protocol/contracts/periphery/EscrowedEXA.sol#L147
https://github.com/sherlock-audit/2024-04-interest-rate-model/blob/main/protocol/contracts/periphery/EscrowedEXA.sol#L143
Tool used
Manual Review
Recommendation
Don't perform the transfer of reserves at L147