Missing input validation can result in Streamrecipient instantly receiving all tokens
Summary
It is possible that a payer configures Stream improperly, resulting in recipient instantly receiving all tokens
Vulnerability Detail
StreamFactory::createStream does input validation for the deployment of a new Stream. The problem is that the validation is incomplete - both startTime and stopTime can be before the current block.timestamp. This can happen if a payer that is deploying a new Stream fat-fingers the values of startTime and stopTime or if they are just improperly calculated. This will result in inability to cancel the Stream without the recipient getting all of the tokens, and he can just claim them any time.
Impact
This can result in an unexpected malfunction of value transfer in the protocol from the payer viewpoint. Missing important input validations are Medium severity.
pashov
medium
Missing input validation can result in
Streamrecipientinstantly receiving all tokensSummary
It is possible that a
payerconfiguresStreamimproperly, resulting inrecipientinstantly receiving all tokensVulnerability Detail
StreamFactory::createStreamdoes input validation for the deployment of a newStream. The problem is that the validation is incomplete - bothstartTimeandstopTimecan be before the currentblock.timestamp. This can happen if apayerthat is deploying a newStreamfat-fingers the values ofstartTimeandstopTimeor if they are just improperly calculated. This will result in inability to cancel theStreamwithout therecipientgetting all of the tokens, and he can just claim them any time.Impact
This can result in an unexpected malfunction of value transfer in the protocol from the
payerviewpoint. Missing important input validations are Medium severity.Code Snippet
https://github.com/sherlock-audit/2022-11-nounsdao/blob/main/src/StreamFactory.sol#L184
Tool used
Manual Review
Recommendation
Adding a validation that
startTime >= block.timestampwill resolve the issueDuplicate of #66