Attackers are able to implement fake tokens to streams because the createStream function doesn't validate token addresses. In addition, can use zero addresses in this function.
Vulnerability Detail
When users want to create a stream, the createStream function checks the payer and recipient address to not zero, but it's not checking the token address. The function should check the users can not create streams with zero tokens. The main problem is the createStream function should validate the token address. If not, attackers can create streams with their own fake tokens.
Impact
Bad actor can create streams with fake tokens and pay not validated tokens with names of valid tokens.
Avci
high
The attacker can create streams with fake token.
Summary
Attackers are able to implement fake tokens to streams because the createStream function doesn't validate token addresses. In addition, can use zero addresses in this function.
Vulnerability Detail
When users want to create a stream, the createStream function checks the payer and recipient address to not zero, but it's not checking the token address. The function should check the users can not create streams with zero tokens. The main problem is the createStream function should validate the token address. If not, attackers can create streams with their own fake tokens.
Impact
Bad actor can create streams with fake tokens and pay not validated tokens with names of valid tokens.
Code Snippet
https://github.com/sherlock-audit/2022-11-nounsdao/blob/main/src/StreamFactory.sol#L184
Tool used
Manual Review
Recommendation
Check token address cant be zero address and validate tokens in createStream function.