Stream.sol: balanceOf function returns nonsensical result for payer
Summary
The Stream.balanceOf function is supposed to return "the available funds to withdraw" for the recipient and the payer.
The value that is returned for the payer does not make sense and does not reflect the actual funds that the payer can withdraw.
This is the difference between what the recipient can currently withdraw and what he will be able to withdraw in the future. It is not the payer's balance.
See the "Recommendation" section for how to calculate the payer's balance instead.
Impact
balanceOf(payer) is never called from inside the contract. However the wrong result can negatively impact any outside components that integrate with the Stream contract. The specific issues that can arise of course depend on the exact circumstances.
You might consider renaming this function to balanceOfRecipient and only return the balance of the recipient as it seems that the balance of the payer is not strictly needed.
If you want to calculate the balance for the payer anyway, the true balance I think is:
HollaDieWaldfee
medium
Stream.sol: balanceOf function returns nonsensical result for payer
Summary
The
Stream.balanceOf
function is supposed to return "the available funds to withdraw" for therecipient
and thepayer
. The value that is returned for the payer does not make sense and does not reflect the actual funds that the payer can withdraw.Vulnerability Detail
The
balanceOf
function returns for thepayer
the valueremainingBalance - recipientBalance;
. https://github.com/sherlock-audit/2022-11-nounsdao/blob/main/src/Stream.sol#L293This is the difference between what the
recipient
can currently withdraw and what he will be able to withdraw in the future. It is not thepayer
's balance.See the "Recommendation" section for how to calculate the
payer
's balance instead.Impact
balanceOf(payer)
is never called from inside the contract. However the wrong result can negatively impact any outside components that integrate with theStream
contract. The specific issues that can arise of course depend on the exact circumstances.Code Snippet
https://github.com/sherlock-audit/2022-11-nounsdao/blob/main/src/Stream.sol#L280-L297
Tool used
Manual Review
Recommendation
You might consider renaming this function to
balanceOfRecipient
and only return the balance of therecipient
as it seems that the balance of thepayer
is not strictly needed. If you want to calculate the balance for thepayer
anyway, the true balance I think is: