search

sherlock-audit / 2022-11-nounsdao-judging

4 stars 0 forks source link

jonatascm - Lack of validation of `startTime` and `stopTime` when creating new Stream #35

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

jonatascm

medium

Lack of validation of startTime and stopTime when creating new Stream

Summary

It is possible to create and/or fund a stream with start and end times in the past.

Vulnerability Detail

There is no verification to startTime and endTime when creating a new stream

Impact

The lack of validation breaks this main functionality of Stream which is to dilute the tokens within the time interval.

Code Snippet

StreamFactory.sol#L184-L213

function createStream(
  address payer,
  address recipient,
  uint256 tokenAmount,
  address tokenAddress,
  uint256 startTime,
  uint256 stopTime,
  uint8 nonce
) public returns (address stream) {
  // These input checks are here rather than in Stream because these parameters are written
  // using clone-with-immutable-args, meaning they are already set when Stream is created and can't be
  // verified there. The main benefit of this approach is significant gas savings.
  if (payer == address(0)) revert PayerIsAddressZero();
  if (recipient == address(0)) revert RecipientIsAddressZero();
  if (tokenAmount == 0) revert TokenAmountIsZero();
  if (stopTime <= startTime) revert DurationMustBePositive();
  if (tokenAmount < stopTime - startTime) revert TokenAmountLessThanDuration();

  stream = streamImplementation.cloneDeterministic(
      encodeData(payer, recipient, tokenAmount, tokenAddress, startTime, stopTime),
      salt(
          msg.sender, payer, recipient, tokenAmount, tokenAddress, startTime, stopTime, nonce
      )
  );
  IStream(stream).initialize();

  emit StreamCreated(
      msg.sender, payer, recipient, tokenAmount, tokenAddress, startTime, stopTime, stream
      );
}

Tool used

Manual Review

Recommendation

It is recommended to add validation to check if the stream is already in the past.

function createStream(
  address payer,
  address recipient,
  uint256 tokenAmount,
  address tokenAddress,
  uint256 startTime,
  uint256 stopTime,
  uint8 nonce
) public returns (address stream) {
  ...
  if (tokenAmount == 0) revert TokenAmountIsZero();
+ if (stopTime <= block.timestamp) revert DurationMustBeInPresent(); //@audit - Or validate the startTime
  if (stopTime <= startTime) revert DurationMustBePositive();
  ...
}

Duplicate of #66