Payer can rug recipient if a special ERC20 is used
Summary
If a special type of ERC20 is used it can result in a complete rug for recipient
Vulnerability Detail
Multiple address tokens exist on the blockchain, for example Synthetix's ProxyERC20 - it exists in many forms (sUSD, SBTC..). If a payer deploys a Stream with such a token then the tokens can be stolen from the contract by the payer. This can happen because when calling rescueERC20 the token address passed can be one of the other token addresses and then the require check in the method will be passing successfully.
Impact
This can result in a 100% rug for the recipient which is a loss of value (High severity) but requires a special type of ERC20 token (low likelihood) so it should be Medium severity.
pashov
medium
Payercan rugrecipientif a special ERC20 is usedSummary
If a special type of ERC20 is used it can result in a complete rug for
recipientVulnerability Detail
Multiple address tokens exist on the blockchain, for example Synthetix's ProxyERC20 - it exists in many forms (sUSD, SBTC..). If a
payerdeploys aStreamwith such a token then the tokens can be stolen from the contract by thepayer. This can happen because when callingrescueERC20the token address passed can be one of the other token addresses and then therequirecheck in the method will be passing successfully.Impact
This can result in a 100% rug for the
recipientwhich is a loss of value (High severity) but requires a special type of ERC20 token (low likelihood) so it should be Medium severity.Code Snippet
https://github.com/sherlock-audit/2022-11-nounsdao/blob/main/src/Stream.sol#L268
Tool used
Manual Review
Recommendation
Instead of checking the address of the token, check the balance of the token before and after the transfer and validate it is not changed.
Duplicate of #52