Closed sherlock-admin closed 1 year ago
the code allows calling cancel after already being cancelled. whatever excess funds there are will be sent to the payer.
I don't see the issue reported. maybe if there was code attached I could see.
Agreed with Sponsor. cancel
allows the payer to withdraw even after canceling.
0x421f
medium
After cancellation, there is no way for payer to recover streaming tokens sent by mistake
Summary
No way to recover to recover
tokenAddress
tokens sent by mistakeVulnerability Detail
In cancel(), nounsDao has following logic.
Basically its to block recipients from withdrawing if payer sends token amount after cancellation. However in current state there is no way for payer to retrieve this way as well.
Impact
Tokens sent my mistake would remain inside contract forever.
Code Snippet
https://github.com/nounsDAO/streamer/blob/master/src/Stream.sol#L244-L247
Tool used
Manual Review
Recommendation
Consider allowing rescue even for streaming tokens after cancellation.