search

sherlock-audit / 2022-11-nounsdao-judging

4 stars 0 forks source link

adriro - Allow payer to recover tokens sent in excess #31

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

adriro

medium

Allow payer to recover tokens sent in excess

Summary

Provide a mechanism to the payer to recover funds sent in excess to the Stream contract.

Vulnerability Detail

If the payer funds in excess the stream (i.e. sends more than tokenAmount()) there's currently no way to recover those funds unless the stream is canceled.

Impact

To recover those funds the payer needs to either cancel the stream or wait until the end of the stream. The recoverERC20 function will only work for tokens different from the stream token.

Code Snippet

https://github.com/sherlock-audit/2022-11-nounsdao/blob/main/src/Stream.sol#L268

function rescueERC20(address tokenAddress, uint256 amount) external onlyPayer {
      if (tokenAddress == address(token())) revert CannotRescueStreamToken();

      IERC20(tokenAddress).safeTransfer(msg.sender, amount);
  }

Tool used

Manual Review

Recommendation

The rescueERC20 can be slightly modified to also allow recovering funds sent in excess of the stream token, which can be identified by comparing the contract's balance and the remainingBalance variable. Here's an idea:

function rescueERC20(address tokenAddress, uint256 amount) external onlyPayer {
    IERC20 token_ = token();

    if (tokenAddress == address(token_)) {
      uint256 tokenBalance_ = tokenBalance();
      uint256 remainingBalance_ = remainingBalance;

      if (tokenBalance_ > remainingBalance_) {
        uint256 maxAllowed = tokenBalance_ - remainingBalance_;
        token_.safeTransfer(msg.sender, amount > maxAllowed ? maxAllowed : amount);
      }
    } else {
      IERC20(tokenAddress).safeTransfer(msg.sender, amount);
    }
}

Duplicate of #28