search

sherlock-audit / 2022-11-nounsdao-judging

4 stars 0 forks source link

cccz - When the tokens sent by the payer to the stream are greater than tokenAmount, the excess tokens can only be withdrawn by calling cancel() #36

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

cccz

medium

When the tokens sent by the payer to the stream are greater than tokenAmount, the excess tokens can only be withdrawn by calling cancel()

Summary

The rescueERC20 function can only be used to withdraw tokens other than token() in the contract. When the token sent by the payer to the stream is greater than tokenAmount, the excess token can only be withdrawn by calling cancel()

Vulnerability Detail

The maximum number of tokens vested to the recipient in the contract is tokenAmount(). If the number of tokens sent by the payer to the contract is greater than tokenAmount(), the excess tokens cannot be withdrawn by the rescueERC20(), and the payer can only withdraw the excess tokens by calling cancel()

Impact

When the token sent by the payer to the stream is greater than tokenAmount, the excess token can only be withdrawn by calling cancel().

Code Snippet

https://github.com/sherlock-audit/2022-11-nounsdao/blob/main/src/Stream.sol#L268-L272 https://github.com/sherlock-audit/2022-11-nounsdao/blob/main/src/Stream.sol#L237-L259

Tool used

Manual Review

Recommendation

Consider allowing rescueERC20 to withdraw the excess token()

    function rescueERC20(address tokenAddress, uint256 amount) external onlyPayer {
-       if (tokenAddress == address(token())) revert CannotRescueStreamToken();
+       if (tokenAddress == address(token())) require(amount < tokenBalance()-remainingBalance);

        IERC20(tokenAddress).safeTransfer(msg.sender, amount);
    }

Duplicate of #28