Sablier is a permissionless token distribution protocol, designed to facilitate any type of payment, whether instant or across time. It is entirely free-to-use infrastructure. DAOs and businesses use Sablier for vesting, payroll, airdrops, and more.
When creating a stream, the sender deposits the amount they are looking to pay into the Sablier protocol. The funds are then progressively streamed over to the recipient within the contract, following the distribution curve chosen by the sender. The recipient can withdraw the funds as they are streamed.
The Importance
Sablier has managed more than $1.5B USD in transaction volume through more than 131,000 streams. It is integrated with twelve blockchains, including Ethereum, Arbitrum, Avalanche, Base, Binance, Polygon, and Optimism. It is also fully integrated with Safe multisig. Hundreds of organizations, including Maple Finance, Uniswap and ShapeShift, use Sablier to manage their token distribution programs.
The protocol employs a set of persistent and non-upgradable smart contracts that prioritize security, censorship resistance, self-custody, and functionality without the need for trusted intermediaries who may selectively restrict access.. To harden the system from attacks, Sabiler engages several diverse teams to thoroughly audit each protocol version.
Sablier + Cyfrin Engagement
Sablier chose Cyfrin CodeHawks to coordinate a competitive audit of the v2.2 codebase in two repositories: v2-core and v2-periphery. Core contracts provide the fundamental token distribution logic of the Sablier Protocol. It contains LockupLinear, LockupDynamic, and LockupTranched, the primary contracts that users will interact with. Periphery contracts interact with one or more Core contracts but are not part of the Core. They are an abstraction layer that enhance the security and the extensibility of the protocol without introducing upgradeability. Periphery plays a key role in creating Airstream campaigns
Cyfrin CodeHawks is a competitive audit platform that connects protocols with independent, world-class smart contract auditors to solidify the security of their systems. Sablier’s competitive audit was open, meaning any auditor on the platform could evaluate code, submit, participate in community judging, and appeals.
The process for competitive audits is similar yet distinct from private audits. Following initial assessments and setup, Sabilier’s code was frozen and the final commit, branch, known issues, and contracts were added to the CodeHawks platform for hundreds of security researchers to review, analyze, test, and uncover critical vulnerabilities.
The Sablier engineering team integrated into the Cyfrin-managed Discord to facilitate audit-related engagement, questions, and conversation.
Upon the close of the competition window, with hundreds of submissions, CodeHawks ensured only valid, verifiable submissions reached the final report. To achieve this, the judging process proceeded in two phases: one through community judging, where CodeHawks auditors who meet certain criteria evaluate every submission, and one led by a subject matter expert who makes all final determinations. After the judging was complete, auditors submitted appeals and reviews before the lead judge made final determinations.
Over the course of the 21-day competitive auditing period, auditors continuously submitted findings as they were discovered. The lead judge evaluated all submissions and deemed 11 valid. The Sabiler team evaluated the valid submissions and acknowledged four medium-risk and 7 low-risk findings as in-scope.
Medium risk finding examples:
The eleven total accepted vulnerabilities were addressed quickly by Sablier’s engineering team. Their final report is available on Medium, here.
More information about Cyfrin CodeHawks' process for competitive audits is available in our docs.
To schedule your own protocol’s competitive audit, contact Cyfrin today.
