rescueERC20 should allow the payer to claw back overpaid amount
Summary
The function rescueERC20 do not allow the payer to claw back overpaid amounts.
Vulnerability Detail
It's likely for the payments to be made in multiple installments by multiple parties, and there may be instances where the payer has overpaid for the token.
In such cases, the rescueERC20 function should allow the payer to recover the overpaid amount by transferring the excess amount back to their own address.
However, the current implementation disallows clawing back overpaid amounts for the token itself as it checks if tokenAddress == token and immediately reverts with the error message CannotRescueStreamToken when that's the case.
Impact
The overpaid amount can not be retrieved by the payer until the stoptime (or cancel the stream).
WATCHPUG
medium
rescueERC20should allow the payer to claw back overpaid amountSummary
The function
rescueERC20do not allow the payer to claw back overpaid amounts.Vulnerability Detail
It's likely for the payments to be made in multiple installments by multiple parties, and there may be instances where the payer has overpaid for the token.
In such cases, the
rescueERC20function should allow the payer to recover the overpaid amount by transferring the excess amount back to their own address.However, the current implementation disallows clawing back overpaid amounts for the token itself as it checks if
tokenAddress == tokenand immediately reverts with the error messageCannotRescueStreamTokenwhen that's the case.Impact
The overpaid amount can not be retrieved by the payer until the stoptime (or cancel the stream).
Code Snippet
https://github.com/sherlock-audit/2022-11-nounsdao/blob/main/src/Stream.sol#L268-L272
Tool used
Manual Review
Recommendation
Consider changing the
rescueERC20()function and allowing the payer to claw back the overpaid (tokenBalance() - remainingBalance) amount of the token.Duplicate of #28