Vulnerability in Stream Rate Configuration within Flow Protocol
Summary
A critical vulnerability exists in the Flow Protocol allowing a malicious sender to configure a streaming rate that results in effectively no value being streamed for an extended period. Specifically, a sender can set the rate to as low as 1 wei per second, which, despite starting a stream, will take an impractical amount of time to accrue any significant amount of funds. This situation enables the sender to create a stream that can be "tolerated" for years without impacting the underlying balance.
Vulnerability Details
In the current implementation of the Flow Protocol:
Low Streaming Rate Configuration: The sender is able to set an extremely low rate per second for streaming payments (e.g., 1 wei).
Delayed Value Accrual: Given the low rate, even with a continuous stream, the total accrued value will remain negligible for an extended time, effectively creating a situation where the stream seems active but does not provide meaningful value to the recipient.
Impact
User Experience Deterioration: The recipient may become frustrated as they do not receive any substantial payments despite the stream appearing active.
Potential Exploitation: This behavior can be exploited by malicious actors to create streams that tie up recipients’ resources without providing any compensation, leading to dissatisfaction and mistrust in the protocol.
Devaluation of Streaming Mechanism: Such low rates undermine the core purpose of the streaming feature, which is designed to facilitate timely and meaningful transactions between parties.
Tools Used
Manual Review
Recommendations
Implement Minimum Rate Limits: Introduce a minimum allowable streaming rate to prevent the creation of streams with negligible values.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.