Provide a mechanism to the payer to recover funds sent in excess to the Stream contract.
Vulnerability Detail
If the payer funds in excess the stream (i.e. sends more than tokenAmount()) there's currently no way to recover those funds unless the stream is canceled.
Impact
To recover those funds the payer needs to either cancel the stream or wait until the end of the stream. The recoverERC20 function will only work for tokens different from the stream token.
function rescueERC20(address tokenAddress, uint256 amount) external onlyPayer {
if (tokenAddress == address(token())) revert CannotRescueStreamToken();
IERC20(tokenAddress).safeTransfer(msg.sender, amount);
}
Tool used
Manual Review
Recommendation
The rescueERC20 can be slightly modified to also allow recovering funds sent in excess of the stream token, which can be identified by comparing the contract's balance and the remainingBalance variable. Here's an idea:
adriro
medium
Allow payer to recover tokens sent in excess
Summary
Provide a mechanism to the payer to recover funds sent in excess to the
Stream
contract.Vulnerability Detail
If the payer funds in excess the stream (i.e. sends more than
tokenAmount()
) there's currently no way to recover those funds unless the stream is canceled.Impact
To recover those funds the payer needs to either cancel the stream or wait until the end of the stream. The
recoverERC20
function will only work for tokens different from the stream token.Code Snippet
https://github.com/sherlock-audit/2022-11-nounsdao/blob/main/src/Stream.sol#L268
Tool used
Manual Review
Recommendation
The
rescueERC20
can be slightly modified to also allow recovering funds sent in excess of the stream token, which can be identified by comparing the contract's balance and theremainingBalance
variable. Here's an idea:Duplicate of #28