search

sherlock-audit / 2022-11-nounsdao-judging

4 stars 0 forks source link

0x421f - After cancellation, there is no way for payer to recover streaming tokens sent by mistake #77

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

0x421f

medium

After cancellation, there is no way for payer to recover streaming tokens sent by mistake

Summary

No way to recover to recover tokenAddress tokens sent by mistake

Vulnerability Detail

In cancel(), nounsDao has following logic.

        // This zeroing is important because without it, it's possible for recipient to obtain additional funds
        // from this contract if anyone (e.g. payer) sends it tokens after cancellation.
        // Thanks to this state update, `balanceOf(recipient_)` will only return zero in future calls.
        remainingBalance = 0; 

        if (recipientBalance > 0) token_.safeTransfer(recipient_, recipientBalance);

Basically its to block recipients from withdrawing if payer sends token amount after cancellation. However in current state there is no way for payer to retrieve this way as well.

Impact

Tokens sent my mistake would remain inside contract forever.

Code Snippet

https://github.com/nounsDAO/streamer/blob/master/src/Stream.sol#L244-L247

Tool used

Manual Review

Recommendation

Consider allowing rescue even for streaming tokens after cancellation.

davidbrai commented 1 year ago

the code allows calling cancel after already being cancelled. whatever excess funds there are will be sent to the payer.

I don't see the issue reported. maybe if there was code attached I could see.

hrishibhat commented 1 year ago

Agreed with Sponsor. cancel allows the payer to withdraw even after canceling.