StreamPay

We express our gratitude to the StreamPay team for the collaborative engagement that enabled the execution of this Smart Contract Security Assessment.

Streamable Finance offers asset streaming capabilities wrapped in financial and banking infrastructure. First ever Web2 and Web3-combined streaming suite disrupting on-demand-pay, salary, billing, housing and lending industries simultaneously with a 1T+ USD addressable market opportunity.

The system users should acknowledge all the risks summed up in the risks section of the report

The audit scope consists of a staking and reward distribution system. Users can deposit ERC20 LP tokens to various LP pools determined by the owner of the system. In return, they can acquire StreamableFinanceToken, which is an ERC777 standard token. The rewards are not directly sent to the user but are locked with a timelock. If the users wish to withdraw rewards before the timelock expires, they can do it with a penalty of 50%.

StreamPay is a staking protocol with the following contracts:

• TokenStaker — a contract that allows users to stake their tokens in pools to earn rewards. The rewards are distributed in STRF tokens, which are locked in a separate contract until the staking period is over. The contract also includes a schedule of future reward rates that depend on the elapsed time since the start of staking, as well as a mechanism for distributing the last stage of rewards at the end of the staking period.

• STRFTokenLocker — an STRF token locking contract that is used by the TokenStaker. Implementation includes timelock mechanism that handles reward distribution and penalties. TokenStaker contract is the LOCKER_ROLE of the STRFTokenLocker contract.

• ERC777Capped — an ERC-777 contract that is customly modified to cap the total supply. Initially no token is minted. Additional minting is allowed.  It has the following attributes:

• • Name: given as a constructor parameter.

  • Symbol: given as a constructor parameter.

  • Decimals: 18.

  • Total supply: given as a constructor parameter.

Privileged roles

• The owner of the TokenStaker contract can:

• • set STRF Locker.

  • add pools.

  • set allocation points of pools.

• The LOCKER_ROLE of the STRFTokenLocker contract can:

• • call the lock function.

• The MINTER_ROLE of the ERC777Capped contract can:

• • mint tokens.

The total Documentation quality score is 8 out of 10.

• Functional requirements and technical description were provided.

• NatSpec format was not followed.

• The development environment instructions were provided.

The total Code quality score is 10 out of 10.

• The development environment was configured.

• The code is well-designed and follows best practices

Code coverage of the project is 91.67% (branch coverage).

• Deployment and basic user interactions are covered with tests.

• Negative cases coverage is present.

• Interactions by several users are tested.

Upon auditing, the code was found to contain 1 critical, 2 high, 3 medium, and 5 low severity issues. Out of these, 10 issues have been addressed and resolved, leading to a Security score of 10 out of 10.

All identified issues are detailed in the “Findings” section of this report.

The comprehensive audit of the customer's smart contract yields an overall score of 9.5. This score reflects the combined evaluation of documentation, code quality, test coverage, and security aspects of the project.

The scope of the project includes the following smart contracts from the provided repository:

Contracts in Scope