Insufficient Validation of Recipient and Sender in Stream Functions Can Lead to Unauthorized Access
Summary
The deposit, withdraw, and adjustRatePerSecond functions rely on the onlySender modifier and _verifyStreamSenderRecipient to verify caller identity. However, insufficient validation could allow attackers to impersonate either party, resulting in unauthorized actions.
Vulnerability Details
These functions depend on onlySender and _verifyStreamSenderRecipient for validation, without additional checks to securely verify the sender and recipient roles:
This lack of comprehensive validation could enable attackers to impersonate the sender or recipient, potentially adjusting the rate, depositing, or withdrawing funds fraudulently.
Impact
Unauthorized access could allow:
Manipulation of stream parameters, such as rate adjustments.
Unauthorized withdrawals, resulting in financial loss for legitimate users.
Tools Used
Manual code review
Recommendations
Strengthen sender and recipient validation by incorporating off-chain hashing and signing to verify identities securely.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.