This calculation does not include depositTokenFlashloanFeeAmount. Therefore they can be claimed by the streamCreator altough they are for factory reward. I consider this as a high risk, since profits of factory can get stolen and anyone create a stream.
Futhermore, those fees can be still claimed by the governance, which results at less than expected depositToken in contract. Therefore, user funds get lost.
Mitigation step
Add depositTokenFlashloanFeeAmount to the calculation.
Handle
0x0x0x
Vulnerability details
Concept
On
recoverTokens
function inStream
. Excess amount of deposit token is calculated as follows:uint256 excess = ERC20(token).balanceOf(address(this)) - (depositTokenAmount - redeemedDepositTokens);
This calculation does not include
depositTokenFlashloanFeeAmount
. Therefore they can be claimed by thestreamCreator
altough they are for factory reward. I consider this as a high risk, since profits of factory can get stolen and anyone create a stream.Futhermore, those fees can be still claimed by the
governance
, which results at less than expecteddepositToken
in contract. Therefore, user funds get lost.Mitigation step
Add
depositTokenFlashloanFeeAmount
to the calculation.