0xKann - Lack of WETH Handling in StreamEscrow Contract

[sherlock-admin4]

0xKann

Medium

Lack of WETH Handling in StreamEscrow Contract

Summary

The StreamEscrow contract is designed to send ETH to the treasury but lacks logic to handle Wrapped Ether (WETH). This oversight assumes the system only uses native ETH, even though WETH may be wrapped earlier in the workflow or received from external protocols.

Root Cause

While this issue does not present a direct attack vector, it creates operational risks:
https://github.com/sherlock-audit/2024-11-nounsdao/blob/main/nouns-monorepo/packages/nouns-contracts/contracts/StreamEscrow.sol#L303-L309
Denial of Treasury Funds: If the contract receives WETH instead of ETH (e.g., from a protocol or user), the funds may remain trapped in the contract and cannot be transferred to the treasury.
Protocol Incompatibility: External integrations requiring WETH interactions may fail to operate correctly with the contract.

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

No response

Impact

Operational Risk:

Funds sent to the contract as WETH cannot be transferred to the treasury, leaving them inaccessible.
The treasury's ETH balance will be lower than expected, causing discrepancies in fund tracking and accounting.
Interoperability Issues:

The system may become incompatible with protocols or users that deal in WETH rather than native ETH.

PoC

Add a check if ETH is wrapped to WETH to send to treasury with WETH

IWETH(WETH_ADDRESS).deposit{value: 10 ether}(); // Wrap 10 ETH into WETH
IWETH(WETH_ADDRESS).transfer(streamEscrowAddress, 10 ether); // Send WETH to the contract

streamEscrow.sendETHToTreasury();

Mitigation

No response