Missing `ISablierFlow.PauseFlowStream` event when `rps=0` is set by a sender through the `SablierFlow::adjustRatePerSecond`
Relevant GitHub Links
https://github.com/Cyfrin/2024-10-sablier/blob/main/src/SablierFlow.sol#L189-L211
https://github.com/Cyfrin/2024-10-sablier/blob/main/src/SablierFlow.sol#L661-L669
Summary
According to the documentation a paused stream is a stream (not voided) that has an rps=0. To set this specific paused status the sender may call SablierFlow::Pause which at the end emits ISablierFlow.PauseFlowStream to confirm the changed status. However, he may get the same result by directly changing the rps stream value through SablierFlow::adjustRatePerSecond which at the end emits only another type of event.
Vulnerability Details
The SablierFlow::adjustRatePerSecond does not take into account the value to which the stream rps should be changed. Therefore, it is possible to achieve the same status with the emission of two events that are totally different one another.
Impact
The emission of different events using different functions to achieve the same status may mislead the user, having also an impact on any front-end integration that may rely on events emitted to the final user (sender).
Tools Used
Manual review
Recommendations
Either allow the sender to use SablierFlow::adjustRatePerSecond only for new rps != 0 or emits at the end of the function the ISablierFlow.PauseFlowStream in case new rps == 0
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.