cmichel
The Streaming contract allows recovering the reward token by calling recoverTokens(rewardToken, recipient).
However, the excess amount is computed incorrectly as ERC20(token).balanceOf(address(this)) - (rewardTokenAmount + rewardTokenFeeAmount):
function recoverTokens(address token, address recipient) public lock {
if (token == rewardToken) {
require(block.timestamp > endRewardLock, "time");
// check what isnt claimable by depositors and governance
// @audit-issue rewardTokenAmount increased on fundStream, but never decreased! this excess underflows
uint256 excess = ERC20(token).balanceOf(address(this)) - (rewardTokenAmount + rewardTokenFeeAmount);
ERC20(token).safeTransfer(recipient, excess);
emit RecoveredTokens(token, recipient, excess);
return;
}
// ...
Note that rewardTokenAmount only ever increases (when calling fundStream) but it never decreases when claiming the rewards through claimReward.
However, claimReward transfers out the reward token.
Therefore, the rewardTokenAmount never tracks the contractβs reward balance and the excess cannot be computed that way.
Assume no reward fees for simplicity and only a single user staking.
Reward token recovery does not work.
The claimed rewards need to be tracked as well, just like the claimed deposits are tracked.
I think you can even decrease rewardTokenAmount in claimReward because at this point rewardTokenAmount is not used to update the cumulativeRewardPerToken anymore.
The text was updated successfully, but these errors were encountered:
All reactions