Public createStream() without restrictions allows spam of event StreamCreated()
Summary
Public StreamFactory.createStream() can be called by anyone, and the input checks are easily fulfilled without restrictions hard to satisfy. Then spam of StreamFactory.createStream() with massive emitted StreamCreated() events can happen.
Vulnerability Detail
Anyone can create stream with the input checks fulfilled in the following createStream(), which allows spam of StreamFactory.createStream() with event StreamCreated() emitted.
Except the owner, anyone who wants to create a stream proposal should firstly deposit at least a minimal amount of tokens for the declared Payer in proposal.
zimu
medium
Public
createStream()
without restrictions allows spam of eventStreamCreated()
Summary
Public
StreamFactory.createStream()
can be called by anyone, and the input checks are easily fulfilled without restrictions hard to satisfy. Then spam ofStreamFactory.createStream()
with massive emittedStreamCreated()
events can happen.Vulnerability Detail
Anyone can create stream with the input checks fulfilled in the following
createStream()
, which allows spam ofStreamFactory.createStream()
with eventStreamCreated()
emitted.Impact
Spam of
StreamFactory.createStream()
with eventStreamCreated()
emitted.Code Snippet
https://github.com/sherlock-audit/2022-11-nounsdao/blob/main/src/StreamFactory.sol#L184-L213
Tool used
Manual Review
Recommendation
Except the owner, anyone who wants to create a stream proposal should firstly deposit at least a minimal amount of tokens for the declared Payer in proposal.