[Security Review] Community findings — LOW-2, LOW-3, LOW-4, INFO-2 (Issue #1)

[Marvy247]

Summary

Independent security review of stream-manager.clar and stream-factory.clar as requested in issue #1.

Closes #1

---

Findings & Fixes

LOW-2 — claim: authorization check after balance calculations

Before: asserts! (is-eq caller recipient) was placed after the let block computed effective-elapsed, streamed, claimable, and claim-amount. A non-recipient caller triggered unnecessary computation before being rejected.
Fix: Reordered asserts — authorization first, then state checks, then token mismatch, then zero-claim guard.

LOW-3 — top-up-stream: authorization check after arithmetic calculations

Before: asserts! (is-eq caller sender) was placed after let computed additional-blocks, new-deposit, new-end-block.
Fix: Comment updated to reflect auth-first intent. No exploitability — code quality fix.

LOW-4 — resume-stream: no end-block guard

Before: A sender could resume a paused stream after its end-block had passed, leaving it in STATUS-ACTIVE indefinitely. No extra tokens accrue (elapsed is clamped), but the on-chain state is misleading.
Fix: Added (asserts! (< current-block (get end-block stream-data)) ERR-STREAM-ENDED).

INFORMATIONAL-2 — stream-factory total-deposited does not reflect top-ups

No code change — analytics-only issue, accepted for v1. Documented in SECURITY_REVIEW.md.

---

No Critical / High / Medium findings

All authorization paths are correct. Token conservation holds on every exit path. Arithmetic is safe. State transitions are correct.

Full findings documented in SECURITY_REVIEW.md.

[vercel]

@Marvy247 is attempting to deploy a commit to the dev_jaytee's projects Team on Vercel.

A member of the Team first needs to authorize it.