pfpaymentstream-truffle's Introduction

Testing

Since this project uses Chainlink oracles testing the project requires an infura/alchemy/geth node
To set your node add the GETH_NODE env variable in .env
Provided node will be used to spawn a local mainnet fork using ganache-core

npm install -g truffle

npm install

truffle test

Additions to the original design specs:

_addToken(address tokenAddress, address oracleAddress)
adds the corresponding ChainLink oracle address
delegatePausable(uint streamId, address delegate) onlyPayerOrDelegated(streamId)
Delegates pausable capability to address delegate
claimable (uint streamId)
returns accrued amount in USD (18 decimals) for streamId
claimableToken (uint streamId)
returns accrued amount in token value using Chainlink' oracle
getStreamsCount()
return total no. of streams: useful for looping through streams using getStream(id)

Events emitted

event newStream(uint id, address payer, address payee, uint usdAmount)
- Emitted after successful createStream, useful for indexing purposes
event tokenAdded(address tokenAddress, address oracleAddress)
- Emitted when the owner adds support for a new token
event claimed(uint id, uint usdAmount, uint tokenAmount); Emitted when a user claims his accrued amount, tracks both the value in USD and in token

Design specs

Original design specs

Outcomes

A payment stream is a per-Ethereum-block drip stream of abstract USD to a payee address.
A payer may create, start, or stop payment streams to a payee address.
Each payment stream is associated with a token , and has received an ERC20 approval from the funding address.
Payees may Claim the unlocked, unclaimed USD balance of the payment stream.
A Claim will consult an on-chain price oracle USDC/XYZ, calculate the amount of XYZ coins to be paid, and transfer that amount of XYZ to the payee.

Implementation

createStream(payee address, payee USD amount, payer token, funding address, end time)

Create a new payment stream from payer to payee. Funds may be from any account; funding account must approve this contract debiting this amount.

pauseStream(stream ID)

Stop the drip.

unpauseStream(stream ID)

Restart the drip.

setPayee(stream ID, address)

Change stream payee address.

setFundingRate(stream ID, USD amount, end time)

Change stream funding rate.

setFundingAddress(stream ID, address)

Change stream funding address.

claim(stream ID)

Payee receives nnnn.nn XYZ tokens, derived from a calculation of accumulated-but-not-claimed USD balance. The amount of XYZ tokens is calculated from an on-chain XYZ/USDC price oracle at claim time.

pfpaymentstream-truffle's People

Watchers

pfpaymentstream-truffle's Issues

Evil payer could steal someone else' stream

Attack scenario:

Alice (payer) creates a stream for Bob (payee):
He (Alice) sets 10,000.00$ in token from fundingAddress to be distributed to Bob during let's say 1 year
For the stream to work fundingAddress token has to approve PaymentStream as a spender.
To keep things simple let's think as there won't be any price fluctuation during the year so fundingAddress gives a 10,000$ (in token amount) approval to PaymentStream in advance.
Let's say this newly created stream ID is: 10

Evil stream:

Attacker has 2 addresses (EvilAlice and EvilBob)
He (EvilAlice) creates a new stream using the same usdAmount, token and fundingAddress as stream id: 10, but a different payee (EvilBob) and a shorter deadline (e.g: 1 sec instead of 1 year)
New stream id: 11

After the next block, EvilBob can claim his streamId 11, thus stealing the funds from fundingAddress.

Possible fixes:

restrict createStream to trusted parties only (using AccessControl for example)
fundingAddress must be unique, so no other stream can have the same fundingAddress set

Recommend Projects

antoniopel / pfpaymentstream-truffle Goto Github PK