From b1b22491875db5681687d1d7eff15182028bd3fe Mon Sep 17 00:00:00 2001
From: El De-dog-lo <3859395+fubuloubu@users.noreply.github.com>
Date: Thu, 25 Apr 2024 17:12:43 -0400
Subject: [PATCH] fix: bug with cancelling

Would allow the `owner` to be able to "steal" the unvested funds of a stream being cancelled
---
 contracts/StreamManager.vy | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/contracts/StreamManager.vy b/contracts/StreamManager.vy
index 420a1dc3..543b3bd7 100644
--- a/contracts/StreamManager.vy
+++ b/contracts/StreamManager.vy
@@ -219,14 +219,14 @@ def cancel_stream(
     reason: Bytes[MAX_REASON_SIZE] = b"",
     creator: address = msg.sender,
 ) -> uint256:
-    assert msg.sender in [creator, self.owner]
+    assert msg.sender == creator or msg.sender == self.owner
     assert self.streams[creator][stream_id].start_time + MIN_STREAM_LIFE <= block.timestamp
 
     funded_amount: uint256 = self.streams[creator][stream_id].funded_amount
     amount_locked: uint256 = funded_amount  - self._amount_unlocked(creator, stream_id)
 
     token: ERC20 = self.streams[creator][stream_id].token
-    assert token.transfer(msg.sender, amount_locked, default_return_value=True)
+    assert token.transfer(creator, amount_locked, default_return_value=True)
 
     self.streams[creator][stream_id].funded_amount = funded_amount - amount_locked