Upon deployment, the recipient of the Sweepable contract is the msg.sender. It can also later be changed to any other address by the owner. The issue here is that if the total allocated tokens are decreased in adjust() function, the tokens are sent to the owner. That means that the recipient of those funds can be a completely different address than the one set as recipient. This is extremely illogical and could cause loss of funds in cases where the owner is a contract with no way of getting out tokens or if it is an EOA that was just used for deploying and was then left behind. The protocols integrating TokenSoft would expect that since they set the recipient, that would be the address that receives the tokens.
samuraii77
medium
Owner funds could get locked
Summary
Owner funds could get locked
Vulnerability Detail
The owner can call
AdvancedDistributorInitializable#adjust()
in order to adjust the amount that a user can claim:Upon deployment, the recipient of the
Sweepable
contract is themsg.sender
. It can also later be changed to any other address by the owner. The issue here is that if the total allocated tokens are decreased inadjust()
function, the tokens are sent to the owner. That means that the recipient of those funds can be a completely different address than the one set as recipient. This is extremely illogical and could cause loss of funds in cases where the owner is a contract with no way of getting out tokens or if it is an EOA that was just used for deploying and was then left behind. The protocols integrating TokenSoft would expect that since they set the recipient, that would be the address that receives the tokens.Impact
Owner funds could get locked
Code Snippet
https://github.com/sherlock-audit/2024-05-tokensoft-distributor-contracts-update/blob/67edd899612619b0acefdcb0783ef7a8a75caeac/contracts/packages/hardhat/contracts/claim/factory/AdvancedDistributorInitializable.sol#L124-L145
Tool used
Manual Review
Recommendation
Use pull over push or send the tokens to the recipient address.