sablier-contracts

Sablier is a powerful onchain token distribution protocol. Here are some key definitions:

The Sablier Protocol: A collection of persistent, non-upgradeable smart contracts to facilitate streaming of ERC-20 tokens on Ethereum and other EVM blockchains. The Sablier Protocol consists of Lockup, Merkle Airdrops, and Flow. The Sablier Interface: A web interface that allows for easy interaction with the Sablier Protocol. The interface is only one of many ways to interact with the Sablier Protocol. Sablier Labs: The company that develops the Sablier Protocol, the Sablier Interface, and the documentation website you are reading right now.

Scope

In-Scope Targets:

This bounty covers bugs of critical or high severity that could lead to the unauthorized transfer or loss of funds from the Sablier smart contracts.

Airdrops at 5b06824
Flow at e55caba
Lockup at baf9a9e

Out-of-Scope Targets:

Code outside the src directories.
External code in node_modules, except code explicitly used by a deployed contract from src.
Deployments on test networks.
Bugs in third-party contracts or platforms interacting with the Sablier Protocol.
Bugs that have already been reported in previous audits

Vulnerabilities contingent upon the occurrence of any of the following are also out-of-scope:

Front-end bugs (e.g., clickjacking) and related social engineering attacks.
DNS configuration records.
DDoS attacks, spamming, or phishing.
Private key leaks.
Automated tools (e.g., Github Actions).
Compromise or misuse of third party systems or services.

Note: If a vulnerability is of exceptional severity, we may accept submissions involving code outside the defined scope. However, the threshold for such reports is significantly higher, and reward eligibility will be assessed on a case-by-case basis.

Protocol Assumptions

Every protocol is built with certain assumptions. You MUST adhere to them while reporting bugs. You can find protocol assumptions in the respective repositories:

Assumptions in Airdrop Protocol
Assumptions in Flow Protocol
Assumptions in Lockup Protocol

Prohibited Actions

No Unauthorized Testing on Production Environments:

Do not test vulnerabilities on mainnet or public testnet deployments without prior authorization. Use local test environments or private test setups.

No Public Disclosure Without Consent:

Do not publicly disclose details of any vulnerability before it has been addressed and you have received written permission to disclose.

No Exploitation or Data Exfiltration:

Do not exploit the vulnerability beyond the minimum steps necessary to demonstrate the issue. Do not access private data, engage in social engineering, or disrupt service.

No Conflict of Interest:

Individuals currently or formerly employed by Sablier, or those who contributed to the development of the affected code, are ineligible to participate.

Disclosure Requirements

Report must include:

A clear description of the vulnerability and its impact.
Steps to reproduce the issue, ideally with a proof of concept.
Details on the conditions under which the issue occurs.
Potential implications if the vulnerability were exploited.

If a reported issue is exploited before it is fixed, the submission will not be eligible for a bounty.

Reports should be made as soon as possible - ideally within 24 hours of discovery.

Anyone who reports a unique, previously unreported vulnerability that results in a change to the code or a configuration, and who keeps such vulnerability confidential until resolution, will be recognised publicly if they choose.

Eligibility

To qualify for a reward under this Program, you MUST:

Identify a previously unreported, non-public vulnerability within the scope of this Program that could result in the loss or freeze of any ERC-20 token in any of the Sablier Protocols (excluding third-party platforms interacting with it).
Ensure the vulnerability is distinct from issues covered in previous Audits.
Be the first to report the unique vulnerability in accordance with the disclosure requirements specified above. In cases of multiple similar reports within 24 hours, rewards will be split at the discretion of Sablier Labs.
Provide sufficient information to allow our engineers to reproduce and remediate the vulnerability.
Refrain from any unlawful conduct when disclosing the bug (e.g., threats or coercive tactics).
Avoid exploiting the vulnerability or profiting from it beyond the offered reward.
Make a genuine effort to prevent privacy violations, data destruction, or any interruption or degradation of Sablier Protocol.
Submit only one vulnerability per submission, unless chaining vulnerabilities is necessary to demonstrate the impact of any of them.
Not submit a vulnerability that stems from an underlying issue for which a reward has already been paid under this Program.
Not have exploited the vulnerability in any malicious manner.
Not have disclosed the vulnerability to third parties before receiving permission.
Comply with all Program rules and applicable laws.
You must not be a current or former employee, vendor, or contractor of Sablier Labs, or an employee of any of its vendors or contractors.
You must not be subject to UK sanctions or reside in a UK-embargoed country.
Be at least 18 years old, or if underage, submit the vulnerability with the consent of a parent or guardian.

Severity and Rewards

Vulnerabilities are classified using two factors: Impact and Likelihood. The combination of these factors determines the severity and guides the reward amount.

Risk Classification Matrix

Severity Level	Impact: Critical	Impact: High	Impact: Medium	Impact: Low
Likelihood: High	Critical	High	Medium	Low
Likelihood: Medium	High	High	Medium	Low
Likelihood: Low	Medium	Medium	Low	Informational

Impact Definitions:

Critical: Vulnerabilities that can lead to severe loss of user funds, permanent system disruption, or widespread compromise.
High: Vulnerabilities that cause notable financial loss or significantly harm user trust, but on a lesser scale than Critical.
Medium: Vulnerabilities that lead to limited financial damage or moderate system impact.
Low/Informational: Findings that pose minimal direct risk but reflect areas for improvement or best practices.

Likelihood Definitions:

High: Very easy to exploit or highly incentivized.
Medium: Exploitation is possible under certain conditions.
Low: Difficult to exploit or requires highly specific conditions.

Payout Guidelines

Risk Score	Payout Range
Critical	Up to $100,000

Rewards will be allocated based on the severity and impact of the disclosed bug after a thorough assessment by the Sablier team. For critical bugs that lead to significant unauthorized fund transfers, rewards of up to $100,000 will be granted. Lower severity bugs may receive nominal rewards or none at all, as determined by the Sablier Labs team.

Note: Actual reward amounts are determined at Sablier Labs's sole discretion. Factors influencing payout include quality of report, completeness, and the severity and exploitability of the vulnerability.

Other Terms

By submitting a report, you grant Sablier Labs the rights necessary to investigate, mitigate, and disclose the vulnerability. Reward decisions and eligibility are at the sole discretion of Sablier Labs. The terms, conditions, and scope of this Program may be revised at any time. All participants are responsible for reviewing the latest version before submitting a report.