Varun_05 - There is no way to change the SweepRecipient. Not even by the owner.

[sherlock-admin3]

Varun_05

medium

There is no way to change the SweepRecipient. Not even by the owner.

Summary

In the current implementation of sweepable.sol there is no way to change the sweep recepient. Not even by the owner.

Vulnerability Detail

Following is the set sweep recipient function.

 function _setSweepRecipient(address payable _recipient) internal {
        recipient = _recipient;
        emit SetSweepRecipient(recipient);
    }

As can be seen that it is an internal function and there exists no public function with onlyOwner modifier there is no possibility of changing the sweepReceipent. Owner is set as sweep recipient initally as can be seen from the following function

function __AdvancedDistributor_init(
        IERC20 _token,
        uint256 _total,
        string memory _uri,
        uint256 _voteFactor,
        uint256 _fractionDenominator,
        uint160 _maxDelayTime,
        uint160 _salt,
        address _owner
    ) internal onlyInitializing {
        _setSweepRecipient(payable(_owner));
        voteFactor = _voteFactor;
        emit SetVoteFactor(voteFactor);

        __Distributor_init(_token, _total, _uri, _fractionDenominator);
        __FairQueue_init(_maxDelayTime, _salt);
    }

Now a owner can renounce its ownership and change to a new owner but the sweep Recipient can not be changed thus if the sweep receipent address gets depreciated it causes loss of funds.

Impact

Causes loss of funds if sweep recipient address gets depreciated and there is no way to change it not even by the new owner.

Code Snippet

https://github.com/sherlock-audit/2024-05-tokensoft-distributor-contracts-update/blob/67edd899612619b0acefdcb0783ef7a8a75caeac/contracts/packages/hardhat/contracts/utilities/Sweepable.sol#L47

Tool used

Manual Review

Recommendation

Add a new set sweep recipient function with onlyOwner modifier which allows to change the sweep recipient.