rescueERC20 should allow the payer to claw back overpaid amount
Summary
The function rescueERC20 do not allow the payer to claw back overpaid amounts.
Vulnerability Detail
It's likely for the payments to be made in multiple installments by multiple parties, and there may be instances where the payer has overpaid for the token.
In such cases, the rescueERC20 function should allow the payer to recover the overpaid amount by transferring the excess amount back to their own address.
However, the current implementation disallows clawing back overpaid amounts for the token itself as it checks if tokenAddress == token and immediately reverts with the error message CannotRescueStreamToken when that's the case.
Impact
The overpaid amount can not be retrieved by the payer until the stoptime (or cancel the stream).
WATCHPUG
medium
rescueERC20
should allow the payer to claw back overpaid amountSummary
The function
rescueERC20
do not allow the payer to claw back overpaid amounts.Vulnerability Detail
It's likely for the payments to be made in multiple installments by multiple parties, and there may be instances where the payer has overpaid for the token.
In such cases, the
rescueERC20
function should allow the payer to recover the overpaid amount by transferring the excess amount back to their own address.However, the current implementation disallows clawing back overpaid amounts for the token itself as it checks if
tokenAddress == token
and immediately reverts with the error messageCannotRescueStreamToken
when that's the case.Impact
The overpaid amount can not be retrieved by the payer until the stoptime (or cancel the stream).
Code Snippet
https://github.com/sherlock-audit/2022-11-nounsdao/blob/main/src/Stream.sol#L268-L272
Tool used
Manual Review
Recommendation
Consider changing the
rescueERC20()
function and allowing the payer to claw back the overpaid (tokenBalance() - remainingBalance
) amount of the token.Duplicate of #28