PlamenTSV
commented
3 weeks ago I see the issue here, however _afterClaimCleanup() is invoked even for a failed transfer, only if the stream has completely ended, due to this block:
if ( block.timestamp >= endForSpecificStream(client, paymentReceiver, streamId) ) {
_afterClaimCleanup(client, paymentReceiver, streamId);
}Which makes it even more unlikely, since the conditions are:
- Ended stream
- Failed transfer Thus Medium, I will let the other judge and sponsor review this
FHieser
Github username: @0xShax2nk Twitter username: 0xShashanks_07 Submission hash (on-chain): 0x9aec5bf94d610c96126661486521c8d3124b77513f19a97df9ea0b9f5a6712dd Severity: high
Description: Description\
The
PP_Streaming_v1contract manages streaming payments and allows users to claim their payments. The contract interacts with theERC20PaymentClientBase_v1to handle token transfers and updates the_outstandingTokenAmountsvariable to track outstanding token amounts. An issue arises when a token transfer fails, leading to a double subtraction of the_outstandingTokenAmountsvariable.In
PP_Streaming_v1Contract the state variable_outstandingTokenAmountsis getting decremented twice for the same stream under certain conditions. This occurs when a token transfer fails, the stream ends, and the user later claims the previously unclaimable tokens. The sequence of operations leads to_outstandingTokenAmountsbeing updated in both_removePaymentForSpecificStream()and_claimPreviouslyUnclaimable(), resulting in an incorrect state.Impact
The incorrect state of _outstandingTokenAmounts can lead to financial discrepancies, causing overpayment or underpayment to users. Also the integrity of the payment processing logic is compromised, leading to potential errors in future transactions cause of this issue.
Double subtraction of
_outstandingTokenAmountsleads to incorrect tracking of outstanding token amounts, which can cause:Attack Scenario\
_afterClaimCleanup()is triggered, which calls_removePaymentForSpecificStream()and updates_outstandingTokenAmounts.claimPreviouslyUnclaimable()to claim the previously unclaimable tokens, which again updates_outstandingTokenAmounts._outstandingTokenAmountsbeing decremented twice for the same stream, leading to an incorrect state.Attachments
https://github.com/hats-finance/Inverter-Network-0xe47e52c4fea05e555920f1dcdcc6fb8eca103eeb/blob/62892384fd7d0ce4d0e389c530200c69921473f7/src/modules/paymentProcessor/PP_Streaming_v1.sol#L132
https://github.com/hats-finance/Inverter-Network-0xe47e52c4fea05e555920f1dcdcc6fb8eca103eeb/blob/62892384fd7d0ce4d0e389c530200c69921473f7/src/modules/paymentProcessor/PP_Streaming_v1.sol#L691
https://github.com/hats-finance/Inverter-Network-0xe47e52c4fea05e555920f1dcdcc6fb8eca103eeb/blob/62892384fd7d0ce4d0e389c530200c69921473f7/src/modules/paymentProcessor/PP_Streaming_v1.sol#L713
https://github.com/hats-finance/Inverter-Network-0xe47e52c4fea05e555920f1dcdcc6fb8eca103eeb/blob/62892384fd7d0ce4d0e389c530200c69921473f7/src/modules/paymentProcessor/PP_Streaming_v1.sol#L416
https://github.com/hats-finance/Inverter-Network-0xe47e52c4fea05e555920f1dcdcc6fb8eca103eeb/blob/62892384fd7d0ce4d0e389c530200c69921473f7/src/modules/paymentProcessor/PP_Streaming_v1.sol#L549
https://github.com/hats-finance/Inverter-Network-0xe47e52c4fea05e555920f1dcdcc6fb8eca103eeb/blob/62892384fd7d0ce4d0e389c530200c69921473f7/src/modules/logicModule/abstracts/ERC20PaymentClientBase_v1.sol#L206
https://github.com/hats-finance/Inverter-Network-0xe47e52c4fea05e555920f1dcdcc6fb8eca103eeb/blob/62892384fd7d0ce4d0e389c530200c69921473f7/src/modules/paymentProcessor/PP_Streaming_v1.sol#L143
https://github.com/hats-finance/Inverter-Network-0xe47e52c4fea05e555920f1dcdcc6fb8eca103eeb/blob/62892384fd7d0ce4d0e389c530200c69921473f7/src/modules/paymentProcessor/PP_Streaming_v1.sol#L783
Proof of Concept (PoC) File
Revised Code File (Optional)