This calculation does not include depositTokenFlashloanFeeAmount. Therefore they can be claimed by the streamCreator altough they are for factory reward. I consider this as a high risk, since profits of factory can get stolen and anyone create a stream.
Futhermore, those fees can be still claimed by the governance, which results at less than expected depositToken in contract. Therefore, user funds get lost.
Mitigation step
Add depositTokenFlashloanFeeAmount to the calculation.
0xean
commented
2 years ago
Handle
0x0x0x
Vulnerability details
Concept
On
recoverTokensfunction inStream. Excess amount of deposit token is calculated as follows:uint256 excess = ERC20(token).balanceOf(address(this)) - (depositTokenAmount - redeemedDepositTokens);This calculation does not include
depositTokenFlashloanFeeAmount. Therefore they can be claimed by thestreamCreatoraltough they are for factory reward. I consider this as a high risk, since profits of factory can get stolen and anyone create a stream.Futhermore, those fees can be still claimed by the
governance, which results at less than expecteddepositTokenin contract. Therefore, user funds get lost.Mitigation step
Add
depositTokenFlashloanFeeAmountto the calculation.