The _create function does not ensure that tranches are sorted by their timestamps, and this is leading to incorrect streaming behavior if the tranches are unordered.
The function is responsible for creating a new stream based on the provided parameters, including tranches here where is the vulnerable lines where the tranches are pushed into the storage array _tranches[streamId] without any validation on their order:
let’s say a scenario that how this bug can is arise let’s say Alice wants to create a stream to Bob with three tranches and the Tranches are provided out of order that timestamps not in ascending order
Tranche 1: Amount = 100, Timestamp = 1650000000
Tranche 2: Amount = 200, Timestamp = 1640000000 (Earlier than Tranche 1, out of order)
Tranche 3: Amount = 300, Timestamp = 1660000000
the Attack Vector occur as :
Alice calls createWithTimestamps to create a stream with these tranches.
The function _create is called internally, and the tranches are pushed into the _tranches mapping without checking the order.
This results in the contract storing tranches in the wrong order:
• Tranche 2 (1640000000)
• Tranche 1 (1650000000)
• Tranche 3 (1660000000)
When Bob tries to withdraw the streamed amount, the calculation in _calculateStreamedAmount will be flawed, leading to incorrect fund releases.
as result Bob might receive funds prematurely or late.
this is from the docs:
The milestones must be sorted in ascending order. It’s not possible for the i-1th milestone to be greater than the ith milestone (given we are dealing with increasing monotonic functions).
Funds might be released incorrectly or locked indefinitely
Manual review
Need to Ensure tranches are sorted by their timestamps before storing them as an example :
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.