search

sherlock-audit / 2022-11-nounsdao-judging

4 stars 0 forks source link

zimu - Public `createStream()` without restrictions allows spam of event `StreamCreated()` #46

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

zimu

medium

Public createStream() without restrictions allows spam of event StreamCreated()

Summary

Public StreamFactory.createStream() can be called by anyone, and the input checks are easily fulfilled without restrictions hard to satisfy. Then spam of StreamFactory.createStream() with massive emitted StreamCreated() events can happen.

Vulnerability Detail

Anyone can create stream with the input checks fulfilled in the following createStream(), which allows spam of StreamFactory.createStream() with event StreamCreated() emitted.

    function createStream(
        address payer,
        address recipient,
        uint256 tokenAmount,
        address tokenAddress,
        uint256 startTime,
        uint256 stopTime,
        uint8 nonce
    ) public returns (address stream) {
        if (payer == address(0)) revert PayerIsAddressZero();
        if (recipient == address(0)) revert RecipientIsAddressZero();
        if (tokenAmount == 0) revert TokenAmountIsZero();
        if (stopTime <= startTime) revert DurationMustBePositive();
        if (tokenAmount < stopTime - startTime) revert TokenAmountLessThanDuration();

        stream = streamImplementation.cloneDeterministic(
            encodeData(payer, recipient, tokenAmount, tokenAddress, startTime, stopTime),
            salt(
                msg.sender, payer, recipient, tokenAmount, tokenAddress, startTime, stopTime, nonce
            )
        );
        IStream(stream).initialize();

        emit StreamCreated(
            msg.sender, payer, recipient, tokenAmount, tokenAddress, startTime, stopTime, stream
            );
    }

Impact

Spam of StreamFactory.createStream() with event StreamCreated() emitted.

Code Snippet

https://github.com/sherlock-audit/2022-11-nounsdao/blob/main/src/StreamFactory.sol#L184-L213

Tool used

Manual Review

Recommendation

Except the owner, anyone who wants to create a stream proposal should firstly deposit at least a minimal amount of tokens for the declared Payer in proposal.