payer cannot cancel if the recipient is blacklisted by USDC
Summary
The cancel() function will revert if the recipient is blacklisted by USDC
Vulnerability Detail
One of the key functionalities of the Stream contract is the ability for either party to choose to cancel.
In such case, the stream should distribute each party's fair share of tokens.
The issue is that if the recipient is blacklisted by USDC, the call will always revert here.
joestakey
medium
payercannot cancel if therecipientis blacklisted byUSDCSummary
The
cancel()function will revert if therecipientis blacklisted byUSDCVulnerability Detail
One of the key functionalities of the
Streamcontract is the ability for either party to choose to cancel. In such case, the stream should distribute each party's fair share of tokens. The issue is that if therecipientis blacklisted byUSDC, the call will always revert here.Impact
The
payerwill not be able to retrieve their share of the funds. The funds are also stuck permanently in theStreamcontract, as the rescue function does not work for the stream token. It is worth noting addresses can get blacklisted by Circle at any time.Code Snippet
https://github.com/sherlock-audit/2022-11-nounsdao/blob/main/src/Stream.sol#L249
Tool used
Manual Review
Recommendation
Consider using a try/catch block for the USDC transfers in cancel(), so that it the
recipientis blacklisted, it is caught and the call goes through.This way the
payerwould retrieve the entire balance, and no funds will be stuck in the contract.Duplicate of #37