Avci - bad actors can steal others' accidentally transferred tokens.

[sherlock-admin]

Avci

high

bad actors can steal others' accidentally transferred tokens.

Summary

The bad actor was able to steal all others accidentally transferred tokens using the rescueERC20 function.

Vulnerability Detail

In the stream contract function, rescueERC20 is made for rescuing accidentally transferred tokens but the function doesn’t have any requirements to funds of ERC20 tokens in the contract which mean everyone who has a payer modifier able to transfer any optional token through using this function.

It should check and ensure the function caller is the real fund's owner, not anyone else trying to steal. It needs to check even the amount.

. Additionally, the code does not check the allowance of the payer to transfer the specified amount of tokens, which could also result in a loss of funds if the payer does not have the necessary allowance.

it does not check the balance of the payer before transferring the tokens. This could allow the payer to withdraw an unlimited amount of tokens.

Impact

potentially causing a loss of funds for the token of the contract even if tokens were accidentally transferred tokens.

Code Snippet

https://github.com/sherlock-audit/2022-11-nounsdao/blob/main/src/Stream.sol#L268

Tool used

Manual Review

Recommendation

one of the ways to prevent this can be checking if the accounts that want to rescue tokens, actually had this amount of specific tokens balance before sending to this, or any way to validate sender actually sent tokens or wanted to steal.

[davidbrai]

I don't understand the attack

[hrishibhat]

Agreed. The issue does not clearly explain a valid attack