search

sherlock-audit / 2022-11-nounsdao-judging

4 stars 0 forks source link

WATCHPUG - The rather harsh requirement of `tokenAmount` makes it inapplicable for certain tokens #63

Open sherlock-admin opened 1 year ago

sherlock-admin commented 1 year ago

WATCHPUG

medium

The rather harsh requirement of tokenAmount makes it inapplicable for certain tokens

Summary

The requirements for tokenAmount >= stopTime - startTime will not be suitable for all tokens and therefore need to be made less applicable for certain tokens like WBTC and EURS.

Vulnerability Detail

Requiring the tokenAmount >= stopTime - startTime is suitable for USDC and WETH.

However, such requirements will be a bit too harsh for other popular tokens, eg, WBTC (decimals: 8) and EURS (decimals: 2). Therefore, make the system less applicable for those tokens.

For WBTC, it must be 0.31536 WBTC per year (worth about $5,400) to meet this requirement, and for EURS, it must be at least 315,360 EURS per year (worth about $315,000).

Impact

The system will be inapplicable for certain tokens with higher per wei value, eg, WBTC and EURS.

Code Snippet

https://github.com/sherlock-audit/2022-11-nounsdao/blob/main/src/StreamFactory.sol#L200

Tool used

Manual Review

Recommendation

Consider changing to tokenAmount * RATE_DECIMALS_MULTIPLIER >= stopTime - startTime.

eladmallel commented 1 year ago

Fix PR: https://github.com/nounsDAO/streamer/pull/12

jack-the-pug commented 1 year ago

Fix confirmed!

Notice: The fix should be merged together with https://github.com/nounsDAO/streamer/pull/7, otherwise, ratePerSecond() can be 0.