Provide a mechanism to the payer to recover funds sent in excess to the Stream contract.
If the payer funds in excess the stream (i.e. sends more than tokenAmount()) there's currently no way to recover those funds unless the stream is canceled.
To recover those funds the payer needs to either cancel the stream or wait until the end of the stream. The recoverERC20 function will only work for tokens different from the stream token.
https://github.com/sherlock-audit/2022-11-nounsdao-romeroadrian/blob/main/src/Stream.sol#L268
function rescueERC20(address tokenAddress, uint256 amount) external onlyPayer {
if (tokenAddress == address(token())) revert CannotRescueStreamToken();
IERC20(tokenAddress).safeTransfer(msg.sender, amount);
}Manual Review
The rescueERC20 can be slightly modified to also allow recovering funds sent in excess of the stream token, which can be identified by comparing the contract's balance and the remainingBalance variable. Here's an idea:
function rescueERC20(address tokenAddress, uint256 amount) external onlyPayer {
IERC20 token_ = token();
if (tokenAddress == address(token_)) {
uint256 tokenBalance_ = tokenBalance();
uint256 remainingBalance_ = remainingBalance;
if (tokenBalance_ > remainingBalance_) {
uint256 maxAllowed = tokenBalance_ - remainingBalance_;
token_.safeTransfer(msg.sender, amount > maxAllowed ? maxAllowed : amount);
}
} else {
IERC20(tokenAddress).safeTransfer(msg.sender, amount);
}
}