search

sherlock-audit / 2022-11-nounsdao-judging

4 stars 0 forks source link

HollaDieWaldfee - Stream.sol: balanceOf function returns nonsensical result for payer #9

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

HollaDieWaldfee

medium

Stream.sol: balanceOf function returns nonsensical result for payer

Summary

The Stream.balanceOf function is supposed to return "the available funds to withdraw" for the recipient and the payer. The value that is returned for the payer does not make sense and does not reflect the actual funds that the payer can withdraw.

Vulnerability Detail

The balanceOf function returns for the payer the value remainingBalance - recipientBalance;. https://github.com/sherlock-audit/2022-11-nounsdao/blob/main/src/Stream.sol#L293

This is the difference between what the recipient can currently withdraw and what he will be able to withdraw in the future. It is not the payer's balance.

See the "Recommendation" section for how to calculate the payer's balance instead.

Impact

balanceOf(payer) is never called from inside the contract. However the wrong result can negatively impact any outside components that integrate with the Stream contract. The specific issues that can arise of course depend on the exact circumstances.

Code Snippet

https://github.com/sherlock-audit/2022-11-nounsdao/blob/main/src/Stream.sol#L280-L297

Tool used

Manual Review

Recommendation

You might consider renaming this function to balanceOfRecipient and only return the balance of the recipient as it seems that the balance of the payer is not strictly needed. If you want to calculate the balance for the payer anyway, the true balance I think is:

if (tokenBalance() > remainingBalance) {
    return tokenBalance() - remainingBalance;
} else {
    return 0;
}