createStream didn't check if time is already passed can result instant withdrawal for recipient
Summary
createStream didn't check if time is already passed can result instant payout for recipient (moreover if the creation is using createAndFundStream)
Vulnerability Detail
Ideally the startTime and endTime are in the future time, > block.timestamp.
but in createStream() implementation there is no check if startTime and endTime set in the future time.
Therefore, if creation of stream is already past startTime & stopTime, this will create this potential vulnerability.
File: StreamFactory.sol
184: function createStream(
185: address payer,
186: address recipient,
187: uint256 tokenAmount,
188: address tokenAddress,
189: uint256 startTime,
190: uint256 stopTime,
191: uint8 nonce
192: ) public returns (address stream) {
193: // These input checks are here rather than in Stream because these parameters are written
194: // using clone-with-immutable-args, meaning they are already set when Stream is created and can't be
195: // verified there. The main benefit of this approach is significant gas savings.
196: if (payer == address(0)) revert PayerIsAddressZero();
197: if (recipient == address(0)) revert RecipientIsAddressZero();
198: if (tokenAmount == 0) revert TokenAmountIsZero();
199: if (stopTime <= startTime) revert DurationMustBePositive();
200: if (tokenAmount < stopTime - startTime) revert TokenAmountLessThanDuration();
201:
202: stream = streamImplementation.cloneDeterministic(
203: encodeData(payer, recipient, tokenAmount, tokenAddress, startTime, stopTime),
204: salt(
205: msg.sender, payer, recipient, tokenAmount, tokenAddress, startTime, stopTime, nonce
206: )
207: );
208: IStream(stream).initialize();
209:
210: emit StreamCreated(
211: msg.sender, payer, recipient, tokenAmount, tokenAddress, startTime, stopTime, stream
212: );
213: }
chainNue
medium
createStream
didn't check if time is already passed can result instant withdrawal for recipientSummary
createStream
didn't check if time is already passed can result instant payout for recipient (moreover if the creation is usingcreateAndFundStream
)Vulnerability Detail
Ideally the
startTime
andendTime
are in the future time,> block.timestamp
. but increateStream()
implementation there is no check ifstartTime
andendTime
set in the future time. Therefore, if creation of stream is already past startTime & stopTime, this will create this potential vulnerability.according to https://docs.sherlock.xyz/audits/watsons/judging
so I think this is categorized as medium issue.
Impact
Instant full payout (withdrawal) for recipient, especially when the creation is using
createAndFundStream
Code Snippet
https://github.com/sherlock-audit/2022-11-nounsdao/blob/main/src/StreamFactory.sol#L184-L213
Tool used
Manual Review
Recommendation
Add check if
startTime
andendTime
is greater thanblock.timestamp
Duplicate of #66