On the 3rd of August, at approximately 11pm BST, we become aware of a vulnerability in the Ethereum smart contract underpinning the dapp user interface hosted at beta.sablier.app. This dapp has been downgraded on the Rinkeby testnet and no interactions are allowed on Mainnet any more.
The vulnerability would allow an attacker to pay themselves using the tokens belonging to a user that had previously approved Sablier to spend from the DAI contract.
The funds held in the Sablier contract are safe, it is the user’s personal balance that got affected. That is, strictly the DAI balance. Ether and all other tokens could not have been touched. Read more on ERC20 allowance here.
We confirm that the vulnerability has not been exploited and all users’ funds are safe. Please expect a technical post-mortem in the near future.
We privately contacted all affected users whose real-world identities were known to us. These users are safeguarded and they do not need to perform any further efforts. Their funds represents the bulk of the total balance affected.
If you deposited on Sablier or just approved the Sablier contract to spend tokens and we hadn’t chatted yet, follow the instructions below.
Please, do not do transaction 2 before transaction 1. Order is extremely important.
Transaction 1: Set Token Allowance Back to Zero
By default, no Ethereum address has the right to spend DAI tokens on your behalf. We have to revert back to this original state with regards to the Sablier contract.
- Install MetaMask and connect the account you used to deposit on Sablier
- Head to the DAI contract on Etherscan
- Tap “Contract” and “Write Contract”
- Tap “Connect to Web3” and accept the dialog box
- Find the “approve” method
- Set “0xeef1392e7044993Fd28bf7878DF85A365b540b92” as the value for the “guy” parameter
- Set “0” (the number ZERO) for the “wad” parameter
- Tap “Write” and sign the transaction with MetaMask
Transaction 2: Proof of Burn
Please send 0.0000308 ETH to the following address:
I sincerely apologise. I founded Sablier to do good for the Ethereum ecosystem, but I made a mistake and I acknowledge it. The landing page did describe the dapp as experimental, beta software, but that doesn’t make for an excuse. I did everything I could to protect all users’ funds and I’m glad that that has come to fruition.
Next steps are to ship v1.0, a version which will patch the herein vulnerability and get audited several times before publication. In fact, just last week, we received a grant that will get us an audit from a top security firm. But we shall over-invest and get an additional pairs of eyes to look on the code. More on this soon.
The beta.sablier.app domain will remain connected to Rinkeby until further notice. If you have any subsequent questions, do not hesitate to reach out on Twitter or Telegram. We will refund you for the gas paid on the transactions above and also spend as much time as necessary to go through any technical issues.