Proper calculation of available amount to be recovered

m-Peter · m-Peter · commit 224f7402d872 · 2026-03-27T17:23:38.000+02:00
diff --git a/solidity/src/FlowYieldVaultsRequests.sol b/solidity/src/FlowYieldVaultsRequests.sol
@@ -167,6 +167,9 @@ contract FlowYieldVaultsRequests is ReentrancyGuard, Ownable2Step {
     /// @notice Claimable refunds from cancelled/dropped/failed requests: user => token => amount
     mapping(address => mapping(address => uint256)) public claimableRefunds;
 
+    /// @notice Total balance of each token accounted for in contract (escrowed/claimable)
+    mapping(address => uint256) public totalAccountedBalance;
+
     /// @notice All requests indexed by request ID
     mapping(uint256 => Request) public requests;
 
@@ -282,6 +285,15 @@ contract FlowYieldVaultsRequests is ReentrancyGuard, Ownable2Step {
     /// @notice No refund available for the specified token
     error NoRefundAvailable(address token);
 
+    /// @notice Recovery user address cannot be zero
+    error InvalidRecoveryUserAddress();
+
+    /// @notice ERC20 token address cannot be the native $FLOW token
+    error InvalidRecoveryTokenAddress();
+
+    /// @notice The requested recovery amount exceeds the available excess amount
+    error InsufficientRecoveryAmount(uint256 available, uint256 requested);
+
     // ============================================
     // Events
     // ============================================
@@ -538,11 +550,19 @@ contract FlowYieldVaultsRequests is ReentrancyGuard, Ownable2Step {
         address to,
         address tokenAddress,
         uint256 amount
-    ) external onlyOwner {
-        IERC20(tokenAddress).safeTransfer(
-            to,
-            amount
-        );
+    ) external onlyOwner nonReentrant {
+        if (to == address(0) || to == address(this))
+            revert InvalidRecoveryUserAddress();
+        if (isNativeFlow(tokenAddress)) revert InvalidRecoveryTokenAddress();
+        if (amount == 0) revert AmountMustBeGreaterThanZero();
+
+        uint256 contractBalance = IERC20(tokenAddress).balanceOf(address(this));
+        uint256 excess = contractBalance - totalAccountedBalance[tokenAddress];
+        if (amount > excess) {
+            revert InsufficientRecoveryAmount(excess, amount);
+        }
+
+        IERC20(tokenAddress).safeTransfer(to, amount);
         emit TokensRecovered(to, tokenAddress, amount);
     }
 
@@ -1023,6 +1043,7 @@ contract FlowYieldVaultsRequests is ReentrancyGuard, Ownable2Step {
                     address(this),
                     request.amount
                 );
+                totalAccountedBalance[request.tokenAddress] += request.amount;
             }
             // Credit refunded funds to claimable refunds for later claim
             claimableRefunds[request.user][request.tokenAddress] += request
@@ -1527,6 +1548,7 @@ contract FlowYieldVaultsRequests is ReentrancyGuard, Ownable2Step {
                     authorizedCOA,
                     request.amount
                 );
+                totalAccountedBalance[request.tokenAddress] -= request.amount;
             }
             emit FundsWithdrawn(
                 authorizedCOA,
@@ -1588,6 +1610,7 @@ contract FlowYieldVaultsRequests is ReentrancyGuard, Ownable2Step {
                 address(this),
                 amount
             );
+            totalAccountedBalance[tokenAddress] += amount;
         }
     }
 
@@ -1647,6 +1670,7 @@ contract FlowYieldVaultsRequests is ReentrancyGuard, Ownable2Step {
         } else {
             // ERC20: use SafeERC20 for safe token transfer
             IERC20(tokenAddress).safeTransfer(to, amount);
+            totalAccountedBalance[tokenAddress] -= amount;
         }
     }
 
diff --git a/solidity/test/FlowYieldVaultsRequests.t.sol b/solidity/test/FlowYieldVaultsRequests.t.sol
@@ -3,6 +3,7 @@ pragma solidity 0.8.20;
 
 import "forge-std/Test.sol";
 import "@openzeppelin/contracts/token/ERC20/ERC20.sol";
+import "@openzeppelin/contracts/interfaces/draft-IERC6093.sol";
 import "../src/FlowYieldVaultsRequests.sol";
 
 contract MockDAI is ERC20 {
@@ -1542,6 +1543,11 @@ contract FlowYieldVaultsRequestsTest is Test {
         vm.prank(coa);
         vm.expectRevert(FlowYieldVaultsRequests.MsgValueMustBeZero.selector);
         c.completeProcessing{value: 5 ether}(req2, false, 101, "Failed");
+
+        // Success case must also reject non-zero msg.value (the `else` branch)
+        vm.prank(coa);
+        vm.expectRevert(FlowYieldVaultsRequests.MsgValueMustBeZero.selector);
+        c.completeProcessing{value: 1 ether}(req2, true, 101, "Success");
     }
 
     function test_CompleteProcessing_RefundNativeFunds() public {
@@ -1580,9 +1586,6 @@ contract FlowYieldVaultsRequestsTest is Test {
         assertEq(dai.balanceOf(user), 20 ether);
         assertEq(dai.balanceOf(address(c)), 0 ether);
 
-        vm.prank(c.owner());
-        c.setTokenConfig(address(dai), true, 0.5 ether, false);
-
         vm.startPrank(user);
         dai.approve(address(c), 5 ether);
         uint256 reqId = c.createYieldVault(address(dai), 5 ether, VAULT_ID, STRATEGY_ID);
@@ -1597,7 +1600,7 @@ contract FlowYieldVaultsRequestsTest is Test {
 
         vm.startPrank(coa);
         dai.approve(address(c), 5 ether);
-        c.completeProcessing(reqId, false, 101, "Failed");
+        c.completeProcessing(reqId, false, c.NO_YIELDVAULT_ID(), "Failed");
         assertEq(dai.balanceOf(coa), 0 ether);
         assertEq(dai.balanceOf(address(c)), 5 ether);
         vm.stopPrank();
@@ -1627,4 +1630,215 @@ contract FlowYieldVaultsRequestsTest is Test {
         assertEq(dai.balanceOf(address(c)), 0 ether);
         vm.stopPrank();
     }
+
+    function test_RecoverTokens_RevertInsufficientRecoveryAmount() public {
+        deal(address(dai), user2, 20 ether);
+        assertEq(dai.balanceOf(user2), 20 ether);
+
+        vm.startPrank(user2);
+        dai.transfer(address(c), 5 ether);
+        assertEq(dai.balanceOf(user2), 15 ether);
+        assertEq(dai.balanceOf(address(c)), 5 ether);
+        vm.stopPrank();
+
+        vm.prank(c.owner());
+        vm.expectRevert(abi.encodeWithSelector(
+            FlowYieldVaultsRequests.InsufficientRecoveryAmount.selector,
+            5 ether,
+            25 ether
+        ));
+        c.recoverTokens(user2, address(dai), 25 ether);
+    }
+
+    function test_RecoverTokens_RevertInvalidRecoveryUserAddress() public {
+        vm.prank(c.owner());
+        vm.expectRevert(FlowYieldVaultsRequests.InvalidRecoveryUserAddress.selector);
+        c.recoverTokens(address(0), address(dai), 25 ether);
+    }
+
+    function test_RecoverTokens_RevertInvalidRecoveryTokenAddress() public {
+        vm.prank(c.owner());
+        vm.expectRevert(FlowYieldVaultsRequests.InvalidRecoveryTokenAddress.selector);
+        c.recoverTokens(user2, NATIVE_FLOW, 25 ether);
+    }
+
+    function test_RecoverTokens_WithPendingUserBalanceAndNoExcessAmount() public {
+        vm.prank(c.owner());
+        c.testRegisterYieldVaultId(101, user, address(dai));
+        c.setTokenConfig(address(dai), true, 0.5 ether, false);
+
+        deal(address(dai), user, 20 ether);
+        assertEq(dai.balanceOf(user), 20 ether);
+        assertEq(dai.balanceOf(address(c)), 0 ether);
+
+        vm.startPrank(user);
+        dai.approve(address(c), 5 ether);
+        uint256 reqId = c.createYieldVault(address(dai), 5 ether, VAULT_ID, STRATEGY_ID);
+        assertEq(dai.balanceOf(user), 15 ether);
+        assertEq(dai.balanceOf(address(c)), 5 ether);
+        vm.stopPrank();
+
+        vm.prank(c.owner());
+        vm.expectRevert(abi.encodeWithSelector(
+            FlowYieldVaultsRequests.InsufficientRecoveryAmount.selector,
+            0 ether,
+            5 ether
+        ));
+        c.recoverTokens(user, address(dai), 5 ether);
+    }
+
+    function test_RecoverTokens_WithCancelledRequestAndNoExcessAmount() public {
+        vm.prank(c.owner());
+        c.testRegisterYieldVaultId(101, user, address(dai));
+        c.setTokenConfig(address(dai), true, 0.5 ether, false);
+
+        deal(address(dai), user, 20 ether);
+        assertEq(dai.balanceOf(user), 20 ether);
+        assertEq(dai.balanceOf(address(c)), 0 ether);
+
+        vm.startPrank(user);
+        dai.approve(address(c), 5 ether);
+        uint256 reqId = c.createYieldVault(address(dai), 5 ether, VAULT_ID, STRATEGY_ID);
+        assertEq(dai.balanceOf(user), 15 ether);
+        assertEq(dai.balanceOf(address(c)), 5 ether);
+
+        c.cancelRequest(reqId);
+        vm.stopPrank();
+
+        vm.prank(c.owner());
+        vm.expectRevert(abi.encodeWithSelector(
+            FlowYieldVaultsRequests.InsufficientRecoveryAmount.selector,
+            0 ether,
+            5 ether
+        ));
+        c.recoverTokens(user, address(dai), 5 ether);
+    }
+
+    function test_RecoverTokens_WithClaimableRefundAndNoExcessAmount() public {
+        vm.prank(c.owner());
+        c.testRegisterYieldVaultId(101, user, address(dai));
+        c.setTokenConfig(address(dai), true, 0.5 ether, false);
+
+        deal(address(dai), user, 20 ether);
+        assertEq(dai.balanceOf(user), 20 ether);
+        assertEq(dai.balanceOf(address(c)), 0 ether);
+
+        vm.startPrank(user);
+        dai.approve(address(c), 5 ether);
+        uint256 reqId = c.createYieldVault(address(dai), 5 ether, VAULT_ID, STRATEGY_ID);
+        assertEq(dai.balanceOf(user), 15 ether);
+        assertEq(dai.balanceOf(address(c)), 5 ether);
+        vm.stopPrank();
+
+        vm.prank(coa);
+        _startProcessingBatch(reqId);
+        assertEq(dai.balanceOf(coa), 5 ether);
+        assertEq(dai.balanceOf(address(c)), 0 ether);
+
+        vm.startPrank(coa);
+        dai.approve(address(c), 5 ether);
+        c.completeProcessing(reqId, false, c.NO_YIELDVAULT_ID(), "Failed");
+        assertEq(dai.balanceOf(coa), 0 ether);
+        assertEq(dai.balanceOf(address(c)), 5 ether);
+        vm.stopPrank();
+
+        vm.prank(c.owner());
+        vm.expectRevert(abi.encodeWithSelector(
+            FlowYieldVaultsRequests.InsufficientRecoveryAmount.selector,
+            0 ether,
+            5 ether
+        ));
+        c.recoverTokens(user, address(dai), 5 ether);
+    }
+
+    function test_RecoverTokens_WithProcessingRequestAndExcessAmount() public {
+        vm.prank(c.owner());
+        c.testRegisterYieldVaultId(101, user, address(dai));
+        c.setTokenConfig(address(dai), true, 0.5 ether, false);
+
+        deal(address(dai), user, 20 ether);
+        assertEq(dai.balanceOf(user), 20 ether);
+        assertEq(dai.balanceOf(address(c)), 0 ether);
+
+        vm.startPrank(user);
+        dai.approve(address(c), 5 ether);
+        uint256 reqId = c.createYieldVault(address(dai), 5 ether, VAULT_ID, STRATEGY_ID);
+        assertEq(dai.balanceOf(user), 15 ether);
+        assertEq(dai.balanceOf(address(c)), 5 ether);
+        vm.stopPrank();
+
+        vm.prank(coa);
+        _startProcessingBatch(reqId);
+        assertEq(dai.balanceOf(coa), 5 ether);
+        assertEq(dai.balanceOf(address(c)), 0 ether);
+
+        vm.prank(user);
+        dai.transfer(address(c), 3 ether);
+
+        vm.prank(c.owner());
+        c.recoverTokens(user, address(dai), 3 ether);
+        assertEq(dai.balanceOf(address(c)), 0 ether);
+        assertEq(dai.balanceOf(user), 15 ether);
+    }
+
+    function test_RecoverTokens_RevertWhenAccountedExceedsAmount() public {
+        c.testRegisterYieldVaultId(101, user, address(dai));
+        c.setTokenConfig(address(dai), true, 0.5 ether, false);
+        deal(address(dai), user, 20 ether);
+        vm.startPrank(user);
+        dai.approve(address(c), 5 ether);
+        c.createYieldVault(address(dai), 5 ether, VAULT_ID, STRATEGY_ID);
+        vm.stopPrank();
+
+        // contract has a balance of 5 DAI via the above createYieldVault,
+        // but there is no excess balance for the given token.
+        vm.prank(c.owner());
+        vm.expectRevert(abi.encodeWithSelector(
+            FlowYieldVaultsRequests.InsufficientRecoveryAmount.selector,
+            0,
+            3 ether
+        ));
+        c.recoverTokens(user, address(dai), 3 ether);
+    }
+
+    function test_RecoverTokens_WithAccountedLessThanAmount() public {
+        c.testRegisterYieldVaultId(101, user, address(dai));
+        c.setTokenConfig(address(dai), true, 0.5 ether, false);
+        deal(address(dai), user, 20 ether);
+        vm.startPrank(user);
+        dai.approve(address(c), 5 ether);
+        c.createYieldVault(address(dai), 5 ether, VAULT_ID, STRATEGY_ID);
+        vm.stopPrank();
+
+        vm.prank(user);
+        dai.transfer(address(c), 8 ether);
+        assertEq(dai.balanceOf(address(c)), 13 ether);
+
+        // contract has 5 ether in pendingUserBalances via createYieldVault
+        vm.prank(c.owner());
+        c.recoverTokens(user, address(dai), 8 ether);
+        // user still has 5 ether in pendingUserBalances via createYieldVault,
+        // even after the stray token recovery
+        assertEq(c.getUserPendingBalance(user, address(dai)), 5 ether);
+        assertEq(dai.balanceOf(address(c)), 5 ether);
+    }
+
+    function test_RecoverTokens_RevertWhenNotOwner() public {
+        deal(address(dai), user2, 5 ether);
+        vm.prank(user2);
+        dai.transfer(address(c), 5 ether);
+
+        vm.prank(user2); // non-owner
+        vm.expectRevert(abi.encodeWithSelector(
+            OwnableUnauthorizedAccount.selector,
+            user2
+        ));
+        c.recoverTokens(user2, address(dai), 5 ether);
+    }
+
+    function test_RecoverTokens_RevertInvalidRecoveryUserAddress_ContractSelf() public {
+        vm.prank(c.owner());
+        vm.expectRevert(FlowYieldVaultsRequests.InvalidRecoveryUserAddress.selector);
+        c.recoverTokens(address(c), address(dai), 1 ether);
+    }
 }
