Flow

Relevant GitHub Links

• SablierFlow:depositAndPause

• ISablierFlow:depositAndPause:Requirements

Summary

The depositAndPause function lacks the notVoided modifier, which ensures that the streamId is not associated with a voided stream before allowing a deposit. This omission leads to potential inconsistencies, as voided streams may still be paused and deposits attempted, which is against the intended behavior described in the function’s documentation.

Vulnerability Details:

In the depositAndPause function, the notPaused modifier is included to ensure that the stream is not paused, but the notVoided modifier, required by deposit and used across all deposit-related functions, is missing. The comments in depositAndPause refer to requirements in both deposit and pause functions, implying that both notPaused and notVoided should be present.

The _pause and _void functions illustrate that voiding a stream effectively pauses it by setting the ratePerSecond to zero. Despite this, all deposit-related methods include the notVoided modifier, reinforcing that a voided stream should not accept deposits. By not including notVoided, the depositAndPause function deviates from this standard, allowing deposits into voided streams.

Impact Details

Allowing deposits on voided streams could lead to unexpected state issues, where funds are deposited into streams that should no longer be active. This misalignment with expected behavior can cause significant functional inconsistencies and increase the risk of unintended fund handling for voided streams.

Recommendation:

Add the notVoided modifier to the depositAndPause function to ensure consistency with other deposit-related functions and prevent deposits to voided streams. This approach aligns with the function's requirements, which reference both the deposit and pause function requirements.

Tools Used

Manual code review