FLOW-8: No Recovery Mechanism for Stray Tokens or Native Funds

[liobrasil]

Severity: Low

Files Affected

• solidity/src/FlowYieldVaultsRequests.sol

Description

FlowYieldVaultsRequests can hold native funds (via receive() and native deposits) and ERC20 tokens (via _validateDeposit() and refunds pulled in completeProcessing()), but it only transfers assets out through request-driven paths (startProcessing() to COA, and user/admin refund flows).

There is no generic recovery or sweep mechanism exposed in this file. However, tokens or native funds sent directly to the contract outside the intended request flows (including accidental transfers, airdrops, or mistaken deposits to unsupported tokens) are not recoverable through any function here, and may remain trapped indefinitely.

This could lead to permanent loss of accidentally sent assets and complicate operational handling if external systems mistakenly transfer funds to the contract address.

Recommendation

Add a constrained rescue mechanism for non-accounted assets (carefully excluding escrowed/refund-tracked balances) with clear operational controls.

---

Parent Issue: #15

[vishalchangrani]

• Admin only path to retrieve the funds and possibly refund it back.

[m-Peter]

Fixed in commit 08bf9c5

Removed the special receive() Solidity function:

/// @notice Allows contract to receive native $FLOW
receive() external payable {}

to avoid accidental native FLOW token transfers to the contract, as it is not necessary for the contract's operation.

Introduced a new recoverTokens(to, tokenAddress, amount) Solidity function which allows only the contract's owner, to recover any ERC20 tokens through accidental user transfers.

Added some more unit tests, to verify that all 3 payable functions (createYieldVault / depositToYieldVault / completeProcessing), cannot receive any non-supported ERC20 tokens. All tokens transferred to these functions, are claimable by the users, even in the case of failures.