Stream protocol allows different tokens to be used as collateral or underlying. The Dex contracts do not appear to support rebasing/deflationary/inflationary tokens whose balance changes during transfers or over time. The necessary checks include at least verifying the amount of tokens transferred to contracts before and after the actual transfer to infer any fees/interest.
Proof of Concept
Stream whitelists a rebasing/deflationary/inflationary token to be used as collateral or underlying by accident. This leads to miscalculations between internal Pool accounting and the balances in the token contracts.
Ensure that to check previos balance/after balance equalts to amount for any rebasing/inflation/deflation
Add support in contracts for such tokens before accepting user-supplied tokens
Consider supporting deflationary / rebasing / etc tokens by extra checking the balances before/after or strictly inform your users not to use such tokens if they don't want to lose them.
Handle
defsec
Vulnerability details
Impact
Stream protocol allows different tokens to be used as collateral or underlying. The Dex contracts do not appear to support rebasing/deflationary/inflationary tokens whose balance changes during transfers or over time. The necessary checks include at least verifying the amount of tokens transferred to contracts before and after the actual transfer to infer any fees/interest.
Proof of Concept
Stream whitelists a rebasing/deflationary/inflationary token to be used as collateral or underlying by accident. This leads to miscalculations between internal Pool accounting and the balances in the token contracts.
https://github.com/code-423n4/2021-11-streaming/blob/main/Streaming/src/Locke.sol#L424
Tools Used
Code Review
Recommended Mitigation Steps