Description:

The void() function has special handling for insolvent streams. If a stream has uncovered debt (total debt exceeds balance), void() will set uncovered debt to 0 and snapshot debt to the current balance. This allows a malicious sender to cancel their debt by voiding the stream.

Summary:

A malicious sender can create a stream with a high ratePerSecond, allow debt to accrue in excess of the balance, and then call void() to forgive all outstanding debt, effectively getting a loan with no obligation to repay the recipient.

Vulnerability Details:

The vulnerability stems from this code block in the internal _void() function:

When voiding an insolvent stream, it sets snapshotDebtScaled to the current balance, wiping out any uncovered debt. The attack can be executed in three steps:

1. Create a stream with high ratePerSecond

2. Wait for debt to accrue past the balance

3. Call void() to cancel debt

Impact:

A malicious sender can get a loan for an arbitrary amount. Debt is fully cancelable, so risk is unbounded. Recipients lose expected payments. Could be automated to target many victims. High reputational risk as the protocol would be seen as untrustworthy if exploited.

Tools Used:

• Manual code review