Flow

Summary

The depletionTimeOf function in the provided Solidity code is responsible for calculating the timestamp at which a stream’s balance will be depleted. However, it currently overlooks the ongoing debt when computing the solvency amount, leading to an inaccurate depletion time estimate. This discrepancy can cause incorrect assumptions about the stream's solvency, potentially resulting in premature or delayed depletion notifications.

Vulnerability Details

In the `depletionTimeOf' function, the solvency amount is calculated as follows;

This calculation omits _ongoingDebtScaledOf(streamId), which represents the debt accumulated since the last snapshot (snapshotDebtScaled). The omission of ongoing debt skews the solvency estimate by ignoring part of the current debt, thereby yielding an inflated balance. As a result, the calculated depletionTime does not reflect the actual point at which the total debt will exceed the balance, leading to inaccurate depletion estimates.

Impact

This vulnerability impacts the accuracy of depletion time predictions, affecting both users and the protocol’s reliability. Misestimating depletion time can lead to:

1. Premature or delayed depletion alerts: Users relying on accurate depletion notifications may make incorrect financial decisions, as they might underestimate or overestimate how long the stream can support transfers.

2. Protocol integrity risks: If the protocol utilizes depletionTime for internal mechanisms such as automated fund management or liquidity provisions, errors in the timing could create unexpected liabilities or disruptions in service continuity.

Tools Used

Manual Review

Recommendations

To address this issue, include the ongoing debt in the solvency amount calculation. Update the code to include _ongoingDebtScaledOf(streamId) in the solvency amount as follows: