payer cannot cancel if the recipient is blacklisted by USDC
Summary
The cancel() function will revert if the recipient is blacklisted by USDC
Vulnerability Detail
One of the key functionalities of the Stream contract is the ability for either party to choose to cancel.
In such case, the stream should distribute each party's fair share of tokens.
The issue is that if the recipient is blacklisted by USDC, the call will always revert here.
joestakey
medium
payer
cannot cancel if therecipient
is blacklisted byUSDC
Summary
The
cancel()
function will revert if therecipient
is blacklisted byUSDC
Vulnerability Detail
One of the key functionalities of the
Stream
contract is the ability for either party to choose to cancel. In such case, the stream should distribute each party's fair share of tokens. The issue is that if therecipient
is blacklisted byUSDC
, the call will always revert here.Impact
The
payer
will not be able to retrieve their share of the funds. The funds are also stuck permanently in theStream
contract, as the rescue function does not work for the stream token. It is worth noting addresses can get blacklisted by Circle at any time.Code Snippet
https://github.com/sherlock-audit/2022-11-nounsdao/blob/main/src/Stream.sol#L249
Tool used
Manual Review
Recommendation
Consider using a try/catch block for the USDC transfers in cancel(), so that it the
recipient
is blacklisted, it is caught and the call goes through.This way the
payer
would retrieve the entire balance, and no funds will be stuck in the contract.Duplicate of #37