davidbrai
commented
1 year ago I don't see how this is an attack, it's like sending someone fake tokens
Closed sherlock-admin closed 1 year ago
davidbrai
commented
1 year ago I don't see how this is an attack, it's like sending someone fake tokens
Avci
high
The attacker can create streams with fake token.
Summary
Attackers are able to implement fake tokens to streams because the createStream function doesn't validate token addresses. In addition, can use zero addresses in this function.
Vulnerability Detail
When users want to create a stream, the createStream function checks the payer and recipient address to not zero, but it's not checking the token address. The function should check the users can not create streams with zero tokens. The main problem is the createStream function should validate the token address. If not, attackers can create streams with their own fake tokens.
Impact
Bad actor can create streams with fake tokens and pay not validated tokens with names of valid tokens.
Code Snippet
https://github.com/sherlock-audit/2022-11-nounsdao/blob/main/src/StreamFactory.sol#L184
Tool used
Manual Review
Recommendation
Check token address cant be zero address and validate tokens in createStream function.