The constraint (mentioned in the documentation) that feePercent is less than 5% is only validated in StreamFactory not in Stream.
In Stream it is only checked that feePercent is less than 100% see here.
However, Stream can be created without a StreamFactory.
This can lead a user/funder to falsely assume the fee is lower than 5%.
This is particularly true given that the feePercent is expressed as a fraction of 10000.
For example, a user/funder can call feeParams which returns (true, 5000), indicating a fee of 50%.
After reading the documentation, the user /funder or a staker might assume that 5000 means 5% instead of 50% since 50% is not possible according to the documentation.
Proof of Concept
Stream stream = new Stream(1, msg.sender, false, rewardToken, depositTOken, startTime, streamDuration, depositLockDuration, rewardLockDuration,
5000, // the important part
true);
Tools Used
None
Recommended Mitigation Steps
Change this check to the following:
require(feePercent < 500 "fee");
Handle
mtz
Vulnerability details
Impact
The constraint (mentioned in the documentation) that
feePercent
is less than5%
is only validated inStreamFactory
not inStream
. InStream
it is only checked thatfeePercent
is less than100%
see here. However,Stream
can be created without aStreamFactory
. This can lead a user/funder to falsely assume the fee is lower than5%
. This is particularly true given that thefeePercent
is expressed as a fraction of10000
. For example, a user/funder can callfeeParams
which returns(true, 5000)
, indicating a fee of50%
. After reading the documentation, the user /funder or a staker might assume that5000
means5%
instead of50%
since50%
is not possible according to the documentation.Proof of Concept
Tools Used
None
Recommended Mitigation Steps
Change this check to the following: require(feePercent < 500 "fee");