Sender and recipient might agree to reduce protocol fee
Summary
By using recipient as broker, sender and recipient can short protocol fee by the max of 10%
Vulnerability Details
If a stream is created, protocol should get fee on every withdrawal made by recipient of the stream.
However, there is the option of depositing through a broker which gives both parties the oppurtunity to avoind fee payment.
Examine a scenerio;
Alice creates a stream with Bob as the recipient
ratePerSecon is such thst after a year debt will be 1,000,000_USDC
Alice decides to pay debt after a year
Under normal circumstance, if protocol fee is 1% of debt, it amounts to 10,000_USDC
Now, Alice calls depositViaBroker() with Bob address as the broker address with 10% fee
Only 900,000_USDC is then deposited and when Bod attempts to withdraw, only 9,000_USDC is deducted as fee
Note; this is profitable for the recipient since Bob still gets additonal 100k USDC which includes what would have been protocol fee.
Sender then voids stream, an action that cancels the remaining debt.
The only party that lost here is the protocol
Tools Used
Manual review.
Recommendations
Deduct what is the protocol fee from what is being sent to the broker as well.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.