Allowing transfer of cancelled streams exposes an attack vector in NFT marketplace
Summary
The stream NFT seller can front-run the buyer by cancelling it before it gets transferred to get profit
Vulnerability Details
By protocol design, each stream is minted as NFT to create ability to trade these streams on marketplaces.
However, the cancelled stream is still be transferrable and this exposes a vulnerability where a buyer purchases a stream NFT from a marketplace, the seller can front-run the buy transaction and cancel the stream before it's transferred.
As a result of this, the seller gets both streamed amount and the payment that the buyer made.
Impact
The stream NFT buyer will lose the money by receiving an empty NFT and instead malicious seller gets profit.
And this can happen for 100% transactions.
Tools Used
Manual Review
Recommendations
The cancelled streams shouldn't be transferred.
Lead Judging Commences
Info/Gas/Invalid as per Docs
https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity
NFTs integration with DEFI projects (market, lending etc) can be exploited/won't work
NFTs integration with DEFI projects (market, lending etc) can be exploited/won't work
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.