The constraint (mentioned in the documentation) that feePercent is less than 5% is only validated in StreamFactory not in Stream.
In Stream it is only checked that feePercent is less than 100% see here.
However, Stream can be created without a StreamFactory.
This can lead a user/funder to falsely assume the fee is lower than 5%.
This is particularly true given that the feePercent is expressed as a fraction of 10000.
For example, a user/funder can call feeParams which returns (true, 5000), indicating a fee of 50%.
After reading the documentation, the user /funder or a staker might assume that 5000 means 5% instead of 50% since 50% is not possible according to the documentation.
Proof of Concept
Stream stream = new Stream(1, msg.sender, false, rewardToken, depositTOken, startTime, streamDuration, depositLockDuration, rewardLockDuration,
5000, // the important part
true);
Tools Used
None
Recommended Mitigation Steps
Change this check to the following:
require(feePercent < 500 "fee");
0xean
commented
2 years ago
Handle
mtz
Vulnerability details
Impact
The constraint (mentioned in the documentation) that
feePercentis less than5%is only validated inStreamFactorynot inStream. InStreamit is only checked thatfeePercentis less than100%see here. However,Streamcan be created without aStreamFactory. This can lead a user/funder to falsely assume the fee is lower than5%. This is particularly true given that thefeePercentis expressed as a fraction of10000. For example, a user/funder can callfeeParamswhich returns(true, 5000), indicating a fee of50%. After reading the documentation, the user /funder or a staker might assume that5000means5%instead of50%since50%is not possible according to the documentation.Proof of Concept
Tools Used
None
Recommended Mitigation Steps
Change this check to the following: require(feePercent < 500 "fee");