By claiming dust amounts for another user, you can delay him from claiming larger amount
Summary
Currently, anyone can withdraw an amount for another user, as long as the recipient is the owner of the stream.
The problem here is that malicious user can front-run owners to claim larger amounts, when they are accrued and force them into paying more gas for withdrawing the same withdraw amount.
Vulnerability Details
Bob has a stream, which has accrued 100 tokens until now.
He don't want to pay huge Mainnet gas taxes, so he has waited more time and want to claim at once (pay gas only one time)
He calls withdraw with his id (lets say 1), amount of 100, and his address for
to.Malicious Alice sees the transaction and front-run it calling
withdrawfor the same stream andto, but withamount = 1Her transaction is successful and Bob receives 1 of his tokens and now he has 99 left to be withdraw
When his transaction is executed, it will revert on the following line, because
withdrawableAmount = 99Alice can do the same multiple times, making Bob loose funds for overpaying for gas
Impact
Redundant funds loss for gas
Tools Used
Manual Review
Recommendations
Instead of reverting, when withdrawableAmount > amount, assign withdrawableAmount to amount:
Lead Judging Commences
Info/Gas/Invalid as per Docs
https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.