RATE_DECIMALS_MULTIPLIER is defined as 1e6. Therefore, if duration is larger as tokenAmount() * 1e6, the rate will be zero, and the recipient will not be able to withdraw the funds during the stream period.
For example when depositing 1 wei for a duration of >1e6 seconds (11,6 days), 2 wei for a duration of >23,1 days. For a duration of >100 year, a deposit of 3153 wei would result in a rate of 0.
Impact
The impact is minimal as this is only applicable to very small deposit amounts and large stream durations. On top of that, after the stream period ends, the recipient is eligible to withdraw the funds anyway because of the following check:
We recommend to check whether the calculation of the rate per second will not result in zero. This should actually be implemented in the createStream() function of the StreamFactory contract before performing the clone and actually deploying the contract:
Zarf
low
Recipient is not entitled to any funds if the fund amount is too small
Summary
Depending on the chosen duration and the amount of tokens, the recipient might not be eligible to withdraw funds from the stream.
Vulnerability Detail
The
ratePerSecond()
function calculates the at which rate the recipient is allows to withdraw funds. The calculation is performed as follows:https://github.com/sherlock-audit/2022-11-nounsdao/blob/main/src/Stream.sol#L136
RATE_DECIMALS_MULTIPLIER
is defined as1e6
. Therefore, ifduration
is larger astokenAmount()
*1e6
, the rate will be zero, and the recipient will not be able to withdraw the funds during the stream period.For example when depositing 1 wei for a duration of >1e6 seconds (11,6 days), 2 wei for a duration of >23,1 days. For a duration of >100 year, a deposit of 3153 wei would result in a rate of 0.
Impact
The impact is minimal as this is only applicable to very small deposit amounts and large stream durations. On top of that, after the stream period ends, the recipient is eligible to withdraw the funds anyway because of the following check:
https://github.com/sherlock-audit/2022-11-nounsdao/blob/main/src/Stream.sol#L337-L338
Code Snippet
https://github.com/sherlock-audit/2022-11-nounsdao/blob/main/src/Stream.sol#L125-L138
Tool used
Manual Review
Recommendation
We recommend to check whether the calculation of the rate per second will not result in zero. This should actually be implemented in the
createStream()
function of the StreamFactory contract before performing the clone and actually deploying the contract:https://github.com/sherlock-audit/2022-11-nounsdao/blob/main/src/StreamFactory.sol#L184-L213