Open hats-bug-reporter[bot] opened 3 weeks ago
I see the issue here, however _afterClaimCleanup()
is invoked even for a failed transfer, only if the stream has completely ended, due to this block:
if ( block.timestamp >= endForSpecificStream(client, paymentReceiver, streamId) ) {
_afterClaimCleanup(client, paymentReceiver, streamId);
}
Which makes it even more unlikely, since the conditions are:
The call to adapt outstandingtoken amount in _removePaymentForSpecificStream is based on the remainingReleasable of the stream. Even if the transfer fails it counts it as _released in the stream struct. That way it isnt double counted. At least that is the idea.
If you think this doesnt account for it please submit a POC for me to check Thanks
Github username: @0xShax2nk Twitter username: 0xShashanks_07 Submission hash (on-chain): 0x9aec5bf94d610c96126661486521c8d3124b77513f19a97df9ea0b9f5a6712dd Severity: high
Description: Description\
The
PP_Streaming_v1
contract manages streaming payments and allows users to claim their payments. The contract interacts with theERC20PaymentClientBase_v1
to handle token transfers and updates the_outstandingTokenAmounts
variable to track outstanding token amounts. An issue arises when a token transfer fails, leading to a double subtraction of the_outstandingTokenAmounts
variable.In
PP_Streaming_v1
Contract the state variable_outstandingTokenAmounts
is getting decremented twice for the same stream under certain conditions. This occurs when a token transfer fails, the stream ends, and the user later claims the previously unclaimable tokens. The sequence of operations leads to_outstandingTokenAmounts
being updated in both_removePaymentForSpecificStream()
and_claimPreviouslyUnclaimable()
, resulting in an incorrect state.Impact
The incorrect state of _outstandingTokenAmounts can lead to financial discrepancies, causing overpayment or underpayment to users. Also the integrity of the payment processing logic is compromised, leading to potential errors in future transactions cause of this issue.
Double subtraction of
_outstandingTokenAmounts
leads to incorrect tracking of outstanding token amounts, which can cause:Attack Scenario\
_afterClaimCleanup()
is triggered, which calls_removePaymentForSpecificStream()
and updates_outstandingTokenAmounts
.claimPreviouslyUnclaimable()
to claim the previously unclaimable tokens, which again updates_outstandingTokenAmounts
._outstandingTokenAmounts
being decremented twice for the same stream, leading to an incorrect state.Attachments
https://github.com/hats-finance/Inverter-Network-0xe47e52c4fea05e555920f1dcdcc6fb8eca103eeb/blob/62892384fd7d0ce4d0e389c530200c69921473f7/src/modules/paymentProcessor/PP_Streaming_v1.sol#L132
https://github.com/hats-finance/Inverter-Network-0xe47e52c4fea05e555920f1dcdcc6fb8eca103eeb/blob/62892384fd7d0ce4d0e389c530200c69921473f7/src/modules/paymentProcessor/PP_Streaming_v1.sol#L691
https://github.com/hats-finance/Inverter-Network-0xe47e52c4fea05e555920f1dcdcc6fb8eca103eeb/blob/62892384fd7d0ce4d0e389c530200c69921473f7/src/modules/paymentProcessor/PP_Streaming_v1.sol#L713
https://github.com/hats-finance/Inverter-Network-0xe47e52c4fea05e555920f1dcdcc6fb8eca103eeb/blob/62892384fd7d0ce4d0e389c530200c69921473f7/src/modules/paymentProcessor/PP_Streaming_v1.sol#L416
https://github.com/hats-finance/Inverter-Network-0xe47e52c4fea05e555920f1dcdcc6fb8eca103eeb/blob/62892384fd7d0ce4d0e389c530200c69921473f7/src/modules/paymentProcessor/PP_Streaming_v1.sol#L549
https://github.com/hats-finance/Inverter-Network-0xe47e52c4fea05e555920f1dcdcc6fb8eca103eeb/blob/62892384fd7d0ce4d0e389c530200c69921473f7/src/modules/logicModule/abstracts/ERC20PaymentClientBase_v1.sol#L206
https://github.com/hats-finance/Inverter-Network-0xe47e52c4fea05e555920f1dcdcc6fb8eca103eeb/blob/62892384fd7d0ce4d0e389c530200c69921473f7/src/modules/paymentProcessor/PP_Streaming_v1.sol#L143
https://github.com/hats-finance/Inverter-Network-0xe47e52c4fea05e555920f1dcdcc6fb8eca103eeb/blob/62892384fd7d0ce4d0e389c530200c69921473f7/src/modules/paymentProcessor/PP_Streaming_v1.sol#L783
Proof of Concept (PoC) File
Revised Code File (Optional)