Flow

Summary

Stream creation can be DoSed for fully compliant erc20 tokens

Vulnerability Details

Under _create() contract is using the decimals() method to retrieve erc20 decimals. See erc20 standard decimals is not mandatory in the erc20 standard, it was later introduced an an optional feature . So all tokens may not implement it. And for tokens that does not implement it , they can't use the protocol to create streams.
It is crucial to note that some tokens may not implement this function, either because they were created before its introduction or simply choose not to include it in order to reduce gas costs or contract complexity. Therefore, attempting to cast all tokens to the IERC20Metadata interface and calling decimals() without proper validation can result in runtime errors and potential vulnerabilities.

See more info here .

Impact

DoS of stream creation for tokens that don't implement the optional decimals() method.

Tools Used

Manual review

Recommendations

To avoid this issue and ensure compatibility with a wider range of tokens, it is recommended to follow a more resilient approach. Instead of blindly relying on the decimals() function, consider using other strategies such as:

• Allowing users to specify the number of decimal places explicitly when interacting with token balances or performing calculations.

• Utilizing libraries or utility functions that perform validation and fallback to a default value or heuristic method when decimals() is not available.

• Providing clear documentation and warnings to users on potential compatibility issues when interacting with tokens that may not implement decimals().