Flow

Summary

In protocols like Flow, which enables debt tracking and open-ended streaming of payments between two parties, reliance on pausable or blocklist-enabled tokens (such as USDC and USDT) introduces risk and potential interruptions in payment streaming. Flow allows users to create a continuous payment stream based on a predefined rate per second, allowing recipients to withdraw funds over time. However, tokens that can be paused or blocklisted by an issuer can lead to disruptions in the protocol, especially if token transfers are suddenly restricted or frozen.

Vulnerability Details

Flow allows a sender to initiate a stream specifying the token transfer rate per second, with funds being gradually transferred to a recipient. In this system, if the underlying asset has controls like pausing or blocklisting, Flow’s continuous payment mechanism can be abruptly halted, even if both the sender and recipient are fully compliant and expect uninterrupted streaming. Such an event could arise if the token issuer pauses transactions due to compliance issues or suspicious activity, effectively locking funds in the stream and preventing the recipient from accessing their rightful balance.

For example:

• Pausing: If the token issuer pauses all transfers, the funds already allocated in Flow’s stream are inaccessible until the token is resumed.

• Blocklisting: If the sender or recipient’s address is blocklisted, the streaming protocol might fail, as future transfers to the recipient could be permanently frozen.

Impact

Payment Disruptions: The recipient may experience interruptions in payment access if the token is paused or if blocklist conditions are triggered. This disrupts the continuous, predictable income streams Flow aims to offer.

Liquidity Risk: Funds become locked in the contract, potentially inaccessible to either party. This creates liquidity issues, especially if the sender is counting on ongoing withdrawals to satisfy other obligations.

Tools Used

Manual Review