Streaming Protocol contest - Ruhum's results

General Information

Platform: Code4rena

Start Date: 30/11/2021

Pot Size: $100,000 USDC

Total HM: 15

Participants: 36

Period: 7 days

Judge: 0xean

Total Solo HM: 4

Id: 62

League: ETH

Streaming Protocol

Findings Distribution

Researcher Performance

Rank: 21/36

Findings: 2

Award: $1,417.60

🌟 Selected for report: 1

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Streaming Protocol

Findings Information

🌟 Selected for report: cmichel

Also found by: 0x0x0x, Ruhum, gpersoon, gzeon, hack3r-0m, pauliax

Labels

bug

duplicate

3 (High Risk)

Awards

611.7761 USDC - $611.78

External Links

Link to GitHub issue

Handle

Ruhum

Vulnerability details

Impact

The user has the possibility of creating a stream where the reward and deposit token are the same. This would potentially break the claiming of the deposit and the reward since the contract might not have enough funds.

Anyway, it would be the stream creator's fault but I think outright blocking that scenario would be the best approach here.

Proof of Concept

No checks whether depositToken and rewardToken are the same:

https://github.com/code-423n4/2021-11-streaming/blob/main/Streaming/src/Locke.sol#L809-L814

https://github.com/code-423n4/2021-11-streaming/blob/main/Streaming/src/Locke.sol#L281-L310

Tools Used

none

Recommended Mitigation Steps

Add following check to either createStream() or Stream.constructor()

require(rewardToken != depositToken)

#0 - 0xean
2022-01-16T01:12:20Z

dupe of #215

Findings Information

🌟 Selected for report: Ruhum

Labels

bug

1 (Low Risk)

disagree with severity

sponsor acknowledged

Awards

805.8152 USDC - $805.82

External Links

Link to GitHub issue

Handle

Ruhum

Vulnerability details

Impact

The stream creator has the ability to recover tokens that the contract didn't account for using the recoverTokens() function. Through the arbitraryCall() function, the governance contract could potentially also withdraw those tokens to an arbitrary address. Thus, the governance contract would be able to take the stream creator's tokens.

Both parties have access so it's a matter of who comes first.

Proof of Concept

recoverTokens() with which the stream creator can withdraw those tokens: https://github.com/code-423n4/2021-11-streaming/blob/main/Streaming/src/Locke.sol#L687-L690

arbitraryCall() where the call has to be made to the ERC20 token contract's transfer() function. The recipient address and the amount can be determined by the caller, i.e. governance contract:

https://github.com/code-423n4/2021-11-streaming/blob/main/Streaming/src/Locke.sol#L743

Tools Used

none

Recommended Mitigation Steps

I don't have a solution either

#0 - brockelmore
2021-12-06T16:48:12Z

I mean yes, but should be considered non critical imo

#1 - 0xean
2022-01-16T01:14:29Z

Will leave as low risk since it's worth highlighting the potential scenario and the implications of it.

Streaming Protocol contest - Ruhum's results

General Information

Findings Distribution

Researcher Performance

External Links

[H-02] user can initialize stream where the depositToken and the rewardToken are the same - $611.78

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

#0 - 0xean2022-01-16T01:12:20Z

QA Report - $805.82

QA Report - $805.82

🚀 [L-13] Governance has the ability to withdraw tokens the stream doesn't know about - $805.82

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

#0 - brockelmore2021-12-06T16:48:12Z

#1 - 0xean2022-01-16T01:14:29Z

#0 - 0xean
2022-01-16T01:12:20Z

#0 - brockelmore
2021-12-06T16:48:12Z

#1 - 0xean
2022-01-16T01:14:29Z