0x0x0x
On recoverTokens function in Stream. Excess amount of deposit token is calculated as follows:
uint256 excess = ERC20(token).balanceOf(address(this)) - (depositTokenAmount - redeemedDepositTokens);
This calculation does not include depositTokenFlashloanFeeAmount. Therefore they can be claimed by the streamCreator altough they are for factory reward. I consider this as a high risk, since profits of factory can get stolen and anyone create a stream.
Futhermore, those fees can be still claimed by the governance, which results at less than expected depositToken in contract. Therefore, user funds get lost.
Add depositTokenFlashloanFeeAmount to the calculation.
The text was updated successfully, but these errors were encountered:
All reactions