Missing input validation can result in Streamrecipient instantly receiving all tokens
Summary
It is possible that a payer configures Stream improperly, resulting in recipient instantly receiving all tokens
Vulnerability Detail
StreamFactory::createStream does input validation for the deployment of a new Stream. The problem is that the validation is incomplete - both startTime and stopTime can be before the current block.timestamp. This can happen if a payer that is deploying a new Stream fat-fingers the values of startTime and stopTime or if they are just improperly calculated. This will result in inability to cancel the Stream without the recipient getting all of the tokens, and he can just claim them any time.
Impact
This can result in an unexpected malfunction of value transfer in the protocol from the payer viewpoint. Missing important input validations are Medium severity.
pashov
medium
Missing input validation can result in
Stream
recipient
instantly receiving all tokensSummary
It is possible that a
payer
configuresStream
improperly, resulting inrecipient
instantly receiving all tokensVulnerability Detail
StreamFactory::createStream
does input validation for the deployment of a newStream
. The problem is that the validation is incomplete - bothstartTime
andstopTime
can be before the currentblock.timestamp
. This can happen if apayer
that is deploying a newStream
fat-fingers the values ofstartTime
andstopTime
or if they are just improperly calculated. This will result in inability to cancel theStream
without therecipient
getting all of the tokens, and he can just claim them any time.Impact
This can result in an unexpected malfunction of value transfer in the protocol from the
payer
viewpoint. Missing important input validations are Medium severity.Code Snippet
https://github.com/sherlock-audit/2022-11-nounsdao/blob/main/src/StreamFactory.sol#L184
Tool used
Manual Review
Recommendation
Adding a validation that
startTime >= block.timestamp
will resolve the issueDuplicate of #66