Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Address audit findings 3, 5, and 11 #1131

Merged
merged 6 commits into from
Jan 7, 2025
Merged

Address audit findings 3, 5, and 11 #1131

merged 6 commits into from
Jan 7, 2025
+95 −44

Conversation

andreivladbrg
Copy link
Member

@andreivladbrg andreivladbrg commented Jan 5, 2025
edited
Loading

Changes

  • refactor: add blockTimestamp param in VestingMath functions
  • refactor: add casting to uint256 in calculateStreamedPercentage
  • docs: add assumptions in VestingMath function
  • docs: improve explanatory comments

Addresses these audit findings:

@andreivladbrg
refactor: add blockTimestamp param in VestingMath functions
7cdba72 
refactor: remove unchecked in calculateStreamedPercentage
docs: add assumptions in VestingMath function
docs: improve explanatory comments
@PaulRBerg PaulRBerg changed the title Address audit findings Address audit findings 3, 5, and 11 Jan 6, 2025
smol-ninja
smol-ninja requested changes Jan 6, 2025
View reviewed changes
Copy link
Member

@smol-ninja smol-ninja left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good @andreivladbrg. Only one comment below:

src/libraries/VestingMath.sol Outdated Show resolved Hide resolved
src/libraries/VestingMath.sol Outdated Show resolved Hide resolved
PaulRBerg and others added 2 commits January 6, 2025 19:14
smol-ninja
smol-ninja requested changes Jan 7, 2025
View reviewed changes
Copy link
Member

@smol-ninja smol-ninja left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work Andrei. Left few comments below. I also realized that we do not have anything like the following in calculateLockupTranchedStreamedAmount while we have it in LL and LD calculations.

            // Although the streamed amount should never exceed the deposited amount, this condition is checked
            // without asserting to avoid locking tokens in case of a bug. If this situation occurs, the withdrawn
            // amount is considered to be the streamed amount, and the stream is effectively frozen.
            if (streamedAmount > depositedAmount) {
                return withdrawnAmount;
            }

src/SablierLockup.sol Outdated Show resolved Hide resolved
src/libraries/VestingMath.sol
returns (uint128)
{
uint256 blockTimestamp = block.timestamp;
// If the start time is in the future, return zero.
if (timestamps.start > blockTimestamp) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This if block is redundant. We already have the following logic in this function:

        if (tranches[0].timestamp > blockTimestamp) {
            return 0;
        }

Copy link
Member Author

@andreivladbrg andreivladbrg Jan 7, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That’s correct—in our case, this check can be removed. However, I left it intentionally because if someone calls this function with an incorrect set of tranches but the correct start time, it would return 0.

Our example for abort functionality

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"start time" does not exist in the context of tranched streams. So, one solution could be to only pass timestamps.end as the input parameter but then I suppose, for the API consistencies, you decided to pass timestamps struct, which is good choice.

How about that, instead of reverting on invalid timestamps.start value, we add it as an assumption i.e. this function does not check for timestamps.start value?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

shw from cantina also recommended something similar: https://cantina.xyz/code/52d6aa1e-6aa4-4e73-96ed-6077652cf0f1/findings/5#comment-1583e631-54c2-45b8-aff3-4422bba95142

@andreivladbrg
Copy link
Member Author

I also realized that we do not have anything like the following in calculateLockupTranchedStreamedAmount while we have it in LL and LD calculations.

Correct. The reason we have these checks in linear/dynamic is because they involve math-sensitive operations in Solidity, the use of elapsedTimePercentage (division followed by multiplication). In the case of tranche, we only perform a sum (i.e. addition), which should be safe.

PaulRBerg
PaulRBerg approved these changes Jan 7, 2025
View reviewed changes
Copy link
Member

@PaulRBerg PaulRBerg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lil feedback below

src/LockupNFTDescriptor.sol Outdated Show resolved Hide resolved
src/libraries/VestingMath.sol Outdated Show resolved Hide resolved
src/libraries/VestingMath.sol Show resolved Hide resolved
src/libraries/VestingMath.sol Outdated Show resolved Hide resolved
src/SablierLockup.sol Outdated Show resolved Hide resolved
@andreivladbrg andreivladbrg merged commit 974f93a into staging Jan 7, 2025
9 checks passed
@andreivladbrg andreivladbrg deleted the avb/audit-fixes branch January 7, 2025 22:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@PaulRBerg PaulRBerg PaulRBerg approved these changes

@smol-ninja smol-ninja smol-ninja requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@andreivladbrg @smol-ninja @PaulRBerg