Flow

Summary

when a flow Stream is created an NFT is minted to the stream `recipient`, this recipient can be a smart contract not equipped to transfer/handle NFTs even though the sender might wish for it to be, the use of _safeMint can mitigate this.

Vulnerability Details

Using ERC721::_mint() can mint ERC721 tokens to addresses which don't support ERC721 tokens, while ERC721::_safeMint() ensures that ERC721 tokens are only minted to addresses which support them. OpenZeppelin discourages the use of _mint().

If the project team believes the usage of _mint() is correct in this case, a reason why should be documented in the code where it occurs.

Impact

recipients are not involved in the creation of stream, if their address is a smart contract address that does not handle ERC721, the NFTs whether transferrable or not will be stuck.

Tools Used

Manual Review

https://docs.openzeppelin.com/contracts/4.x/api/token/erc721#ERC721-_safeMint-address -uint256-

Recommendations

use _safeMint instead of _mint for recipient NFTs.