Flow

Summary

The Flow Protocol currently allows a sender to create a stream and set the rate per second (RPS) to any value, including zero. However, there is a critical inconsistency in the handling of the stream status when the RPS is set to zero. According to the protocol's documentation, a stream with an RPS of zero should be considered paused, and the isStream status should reflect this by being set to false.

Vulnerability Details

Stream Creation with Zero RPS: Users can initiate a stream by setting the RPS to zero. The expectation is that this action should pause the stream and reflect that it is inactive.

Inconsistent State Management: Despite the RPS being set to zero, the internal state of the stream does not update accordingly. The isStream variable remains true, indicating that the stream is active when it should not be.

Impact

User Confusion: Users may believe their stream is active when it is effectively paused, leading to confusion about their expected payment streams.

Tools Used

Manual Review

Recommendations

Implement State Update Logic: Modify the stream creation logic to ensure that when RPS is set to zero, the isStream status is automatically updated to false. This will ensure that the internal state accurately reflects the intended behavior.