bad actors can steal others' accidentally transferred tokens.
Summary
The bad actor was able to steal all others accidentally transferred tokens using the rescueERC20 function.
Vulnerability Detail
In the stream contract function, rescueERC20 is made for rescuing accidentally transferred tokens but the function doesn’t have any requirements to funds of ERC20 tokens in the contract which mean everyone who has a payer modifier able to transfer any optional token through using this function.
It should check and ensure the function caller is the real fund's owner, not anyone else trying to steal.
It needs to check even the amount.
. Additionally, the code does not check the allowance of the payer to transfer the specified amount of tokens, which could also result in a loss of funds if the payer does not have the necessary allowance.
it does not check the balance of the payer before transferring the tokens. This could allow the payer to withdraw an unlimited amount of tokens.
Impact
potentially causing a loss of funds for the token of the contract even if tokens were accidentally transferred tokens.
one of the ways to prevent this can be checking if the accounts that want to rescue tokens, actually had this amount of specific tokens balance before sending to this, or any way to validate sender actually sent tokens or wanted to steal.
Avci
high
bad actors can steal others' accidentally transferred tokens.
Summary
The bad actor was able to steal all others accidentally transferred tokens using the rescueERC20 function.
Vulnerability Detail
In the stream contract function, rescueERC20 is made for rescuing accidentally transferred tokens but the function doesn’t have any requirements to funds of ERC20 tokens in the contract which mean everyone who has a payer modifier able to transfer any optional token through using this function.
It should check and ensure the function caller is the real fund's owner, not anyone else trying to steal. It needs to check even the amount.
. Additionally, the code does not check the allowance of the payer to transfer the specified amount of tokens, which could also result in a loss of funds if the payer does not have the necessary allowance.
it does not check the balance of the payer before transferring the tokens. This could allow the payer to withdraw an unlimited amount of tokens.
Impact
potentially causing a loss of funds for the token of the contract even if tokens were accidentally transferred tokens.
Code Snippet
https://github.com/sherlock-audit/2022-11-nounsdao/blob/main/src/Stream.sol#L268
Tool used
Manual Review
Recommendation
one of the ways to prevent this can be checking if the accounts that want to rescue tokens, actually had this amount of specific tokens balance before sending to this, or any way to validate sender actually sent tokens or wanted to steal.