Summary

The createWithDurations function in the SablierV2LockupLinear contract is designed to create a new stream with specified durations for the cliff and total time. This function calls the internal _create function, which calculates and handles the broker fee based on the totalAmount of the stream. Due to the use of integer division in Solidity, when the totalAmount is very small and the broker fee percentage is low, the calculated fee may result in a value less than the smallest unit of the token, leading to a rounding error where the fee is effectively zero.

Proof of Concept

Consider a scenario where the totalAmount of a stream is very small, say 1 wei, and the broker fee is set at 1% (0.01). The expected broker fee would be 0.01 wei. However, due to Solidity's integer division, the calculated fee would be:

Since Solidity does not handle fractions of a wei, the result is truncated to 0 wei, and the broker receives no fee.

Impact

Brokers facilitating the creation of streams may not receive the expected compensation for their services, which could lead to dissatisfaction and a lack of incentive to support the platform.

Tools Used

Manual review

Recommendations

1. Implement a minimum fee threshold to ensure brokers receive a non-zero fee.

2. Utilize a higher precision for fee calculations by scaling up the totalAmount before applying the fee percentage, followed by scaling down the result to the appropriate token unit.

3. Enforce a minimum totalAmount for stream creation to prevent the creation of economically unviable streams.