function createStream(
address payer,
address recipient,
uint256 tokenAmount,
address tokenAddress,
uint256 startTime,
uint256 stopTime,
uint8 nonce
) public returns (address stream) {
// These input checks are here rather than in Stream because these parameters are written
// using clone-with-immutable-args, meaning they are already set when Stream is created and can't be
// verified there. The main benefit of this approach is significant gas savings.
if (payer == address(0)) revert PayerIsAddressZero();
if (recipient == address(0)) revert RecipientIsAddressZero();
if (tokenAmount == 0) revert TokenAmountIsZero();
if (stopTime <= startTime) revert DurationMustBePositive();
if (tokenAmount < stopTime - startTime) revert TokenAmountLessThanDuration();
stream = streamImplementation.cloneDeterministic(
encodeData(payer, recipient, tokenAmount, tokenAddress, startTime, stopTime),
salt(
msg.sender, payer, recipient, tokenAmount, tokenAddress, startTime, stopTime, nonce
)
);
IStream(stream).initialize();
emit StreamCreated(
msg.sender, payer, recipient, tokenAmount, tokenAddress, startTime, stopTime, stream
);
}
Tool used
Manual Review
Recommendation
It is recommended to add validation to check if the stream is already in the past.
function createStream(
address payer,
address recipient,
uint256 tokenAmount,
address tokenAddress,
uint256 startTime,
uint256 stopTime,
uint8 nonce
) public returns (address stream) {
...
if (tokenAmount == 0) revert TokenAmountIsZero();
+ if (stopTime <= block.timestamp) revert DurationMustBeInPresent(); //@audit - Or validate the startTime
if (stopTime <= startTime) revert DurationMustBePositive();
...
}
jonatascm
medium
Lack of validation of
startTime
andstopTime
when creating new StreamSummary
It is possible to create and/or fund a stream with start and end times in the past.
Vulnerability Detail
There is no verification to
startTime
andendTime
when creating a new streamImpact
The lack of validation breaks this main functionality of Stream which is to dilute the tokens within the time interval.
Code Snippet
StreamFactory.sol#L184-L213
Tool used
Manual Review
Recommendation
It is recommended to add validation to check if the stream is already in the past.
Duplicate of #66