A payment streaming protocol was preparing to go live on mainnet. Their system enabled continuous fund transfers with time-based accrual, including support for pausing, resuming, and canceling streams. This flexibility introduced complex state transitions that had to remain safe and consistent across time windows.
Security was paramount. With real assets at stake, the organization needed assurance that users could not exploit timing logic or interfere with one another’s balances. The team had already written extensive tests but wanted an external review to assess assumptions, identify edge cases, and confirm that their logic held under adversarial conditions.
Review Approach
Cantina structured the engagement as a scoped high-touch review, selecting researchers with experience in stateful systems and fund custody logic. The review focused on pause-resume-cancel mechanics, looking for mismatches between time tracking and balance accounting.
Key review workflows included:
- Systematic modeling of time-based accrual and unlock logic
- Manual walkthroughs of each stream function using varied timestamp inputs
- Edge-case simulation of overlapping operations (pause → resume → cancel)
- Verification of invariants like monotonic balance growth and capped withdrawals
- Assessment of pause state storage and update propagation
The Cantina team provided feedback early and iteratively. This helped the client triage findings quickly and apply patches without delaying their deployment window.
Key Finding: Balance Exploitation via Pause and Cancel
The reviewers identified a critical flaw in how the system calculated claimable balances when a stream was paused and then canceled. By pausing a stream, waiting, and then canceling, a user could receive more funds than they had actually earned.
The implementation did not deduct the paused duration from the overall stream calculation. This allowed users to exploit the time delta and over-withdraw funds.
Vulnerable Function
What Went Wrong
The formula incorrectly assumes uninterrupted progression from startTime to block.timestamp. It fails to exclude time when the stream was paused, misrepresenting the recipient’s actual entitlement.
Solution
Cantina recommended:
- Storing the cumulative paused duration in the stream struct
- Adjusting balance calculations to subtract the total paused time
- Ensuring that resume operations update timestamps correctly to prevent overlap or leakage
The team patched the function by introducing an adjusted elapsed time field that respected pause intervals. Reviewers helped validate the fix and regression-tested related flows.
Secondary Finding: Locked Funds via Broken Resume Logic
The team also flagged a bug where paused streams failed to resume correctly. If a stream was paused and certain state transitions were interrupted, the user could be left unable to claim any funds. This was traced to stale timestamps and improper event propagation.
A targeted fix ensured that pause and resume logic correctly updated internal state and emitted all necessary events for clients and UI sync.
Outcome
The organization deployed with confidence, having resolved issues that could have caused both financial loss and operational disruption. All bugs were fixed before launch, and test coverage was expanded to include edge-case behaviors identified during the review.
Cantina’s model allowed rapid, contextual feedback that aligned with the team’s sprint cadence. Reviewers served not only as auditors, but as sparring partners, helping stress test design logic and raise the bar on system reliability.
Explore Next Steps
If your organization handles time-based fund custody, streaming payments, or similar escrow mechanics, structure matters. Reviews are most effective when scoped to match your architecture, lifecycle, and code maturity.
To define a review that aligns with your goals, contact us. We’ll help you move forward with clarity.