Temporary Shutdown of the Sablier Dapp

Paul Razvan Berg
Aug 5 · 3 min read

On the 3rd of August, at approximately 11pm BST, we become aware of a vulnerability in the Ethereum smart contract underpinning the dapp user interface hosted at beta.sablier.app. This dapp has been downgraded on the Rinkeby testnet and no interactions are allowed on Mainnet any more.

Exploit Description

The vulnerability would allow an attacker to pay themselves using the tokens belonging to a user that had previously approved Sablier to spend from the DAI contract.

The funds held in the Sablier contract are safe, it is the user’s personal balance that got affected. That is, strictly the DAI balance. Ether and all other tokens could not have been touched. Read more on ERC20 allowance here.

We confirm that the vulnerability has not been exploited and all users’ funds are safe. Please expect a technical post-mortem in the near future.

Immediate Actions

We privately contacted all affected users whose real-world identities were known to us. These users are safeguarded and they do not need to perform any further efforts. Their funds represents the bulk of the total balance affected.

If you deposited on Sablier or just approved the Sablier contract to spend tokens and we hadn’t chatted yet, follow the instructions below.

Please, do not do transaction 2 before transaction 1. Order is extremely important.

Transaction 1: Set Token Allowance Back to Zero

By default, no Ethereum address has the right to spend DAI tokens on your behalf. We have to revert back to this original state with regards to the Sablier contract.

  1. Install MetaMask and connect the account you used to deposit on Sablier
  2. Head to the DAI contract on Etherscan
  3. Tap “Contract” and “Write Contract”
  4. Tap “Connect to Web3” and accept the dialog box
  5. Find the “approve” method
  6. Set “0xeef1392e7044993Fd28bf7878DF85A365b540b92” as the value for the “guy” parameter
  7. Set “0” (the number ZERO) for the “wad” parameter
  8. Tap “Write” and sign the transaction with MetaMask

For convenience:

Transaction 2: Proof of Burn

Please send 0.0000308 ETH to the following address:

• 0x0000000000000000000000000000000000000000

This acts as a proof of ownership. Reach out on Twitter, Telegram or Keybase after you do this. In total, there is ~124 DAI waiting to be redeemed by 5 different accounts.

Road Ahead

I sincerely apologise. I founded Sablier to do good for the Ethereum ecosystem, but I made a mistake and I acknowledge it. The landing page did describe the dapp as experimental, beta software, but that doesn’t make for an excuse. I did everything I could to protect all users’ funds and I’m glad that that has come to fruition.

Next steps are to ship v1.0, a version which will patch the herein vulnerability and get audited several times before publication. In fact, just last week, we received a grant that will get us an audit from a top security firm. But we shall over-invest and get an additional pairs of eyes to look on the code. More on this soon.

The beta.sablier.app domain will remain connected to Rinkeby until further notice. If you have any subsequent questions, do not hesitate to reach out on Twitter or Telegram. We will refund you for the gas paid on the transactions above and also spend as much time as necessary to go through any technical issues.

Sablier

The protocol for real-time finance on Ethereum

Paul Razvan Berg

Written by

Founder @SablierHQ

Sablier

Sablier

The protocol for real-time finance on Ethereum

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade