075.md

Acidic Licorice Kangaroo

High

Missing fund tracking will prevent accurate stream management for the DAO

Summary

The StreamEscrow contract is responsible for managing multiple streams, tracking their associated funds, and streaming ETH to the DAO. https://mirror.xyz/verbsteam.eth/GYWRLqAC0heMC_2Fhc0ez0Mchxp_MCUIjoyt8UPGwrs (search keyword: Stream management) However, the current implementation of the Stream struct and streams mapping is insufficient to meet the documented requirements. Specifically:

1. The Stream struct contains only ethPerTick, canceled, and lastTick fields.
2. These fields do not provide the ability to track:
   • Total funds deposited for a specific stream.
   • The remaining balance for a stream after periodic streaming to the DAO. https://github.com/sherlock-audit/2024-11-nounsdao/blob/main/nouns-monorepo/packages/nouns-contracts/contracts/interfaces/IStreamEscrow.sol#L48

As a result, the contract cannot accurately determine "how many funds belong to which stream" and "how much has already been streamed to the DAO" as stated in the documentation.

Root Cause

The issue lies in the lack of necessary fields in the Stream struct:

1. The Stream struct tracks:
   • ethPerTick: ETH streamed per tick.
   • lastTick: The tick when the stream ends.
   • canceled: Whether the stream is active.
2. Missing fields:
   • Total Deposited Funds: The total amount of ETH deposited for a stream.
   • Streamed Amount: The amount of ETH already streamed to the DAO.
   • Remaining Balance: Funds remaining for future ticks.

The absence of these fields makes it impossible to reconcile or validate the state of individual streams.

Impact

1. Inability to Track Stream Balances:

   • The contract lacks the ability to calculate the exact remaining balance of funds for any given stream.

2. Ambiguity in Funds Accounting:

   • Without proper accounting, the DAO or stream creators cannot validate whether the funds were managed correctly or verify how much of the stream has been consumed.

3. Non-Compliance with Documentation:

   • The contract does not fulfill the documented requirement of managing stream funds with precise internal accounting.

Mitigation

1. Enhance the Stream Struct: Add fields to track the total deposited funds, streamed amount, and remaining balance:

   struct Stream {
       uint128 ethPerTick;
       uint128 totalDeposited;  // Total ETH deposited for this stream
       uint128 streamedAmount;  // Amount of ETH already streamed
       uint32 lastTick;
       bool canceled;
   }

2. Update Stream Management Logic:

   • When a stream is created, initialize totalDeposited and streamedAmount:

   streams[nounId] = Stream({
       ethPerTick: ethPerTick,
       totalDeposited: msg.value,
       streamedAmount: 0,
       lastTick: streamLastTick,
       canceled: false
   });

   • During streaming (e.g., in forwardAll), update streamedAmount and calculate remaining balance:

   stream.streamedAmount += ethPerTick * ticksStreamed;
   uint128 remainingBalance = stream.totalDeposited - stream.streamedAmount;