search

code-423n4 / 2021-11-streaming-findings

0 stars 0 forks source link

parameter "who" not used #125

Open code423n4 opened 2 years ago

code423n4 commented 2 years ago

Handle

gpersoon

Vulnerability details

Impact

The function updateStreamInternal(address who) has a parameter "who", which isn't used. However "TokenStream storage ts = tokensNotYetStreamed[msg.sender];" uses msg.sender, where probably "who" should be used.

Luckily in the current code this doesn't pose any problems however it is misleading and future code updates could introduce a high risk issue due to this. Because "who" isn't used it is safer and cheaper to remove it. ==> thus I have classified this as a gas optimization

Proof of Concept

https://github.com/code-423n4/2021-11-streaming/blob/56d81204a00fc949d29ddd277169690318b36821/Streaming/src/Locke.sol#L203-L205

function updateStreamInternal(address who) internal {
        require(block.timestamp < endStream , "!stream");
        TokenStream storage ts = tokensNotYetStreamed[msg.sender];

https://github.com/code-423n4/2021-11-streaming/blob/56d81204a00fc949d29ddd277169690318b36821/Streaming/src/Locke.sol#L197-L201

modifier updateStream(address who) {
        // save bytecode space by making it a jump instead of inlining at cost of gas
        updateStreamInternal(who);
        _;
    }

Tools Used

Recommended Mitigation Steps

Remove "who" from updateStreamInternal(), as well as the modifier updateStream() and the functions that use the modier updateStream

0xean commented 2 years ago

Going to move this to low-risk as the incorrect parameter can lead to confusion and function being incorrect to spec

1 — Low: Low: Assets are not at risk. State handling, function incorrect as to spec, issues with comments.