Adding withdraw capability to ERC20 token contract(for stuck tokens)

Basically i want to add a capability to withdraw stuck tokens from the ERC20 token contract(so i can recover tokens that are accidentally sent to the contract address).

My question is. Are there any risks?
The treasuryWallet is a safe address, but anyone can enter a fake address for the ERC20 that could execute any code.

However, i am not really seeing any potential vulnerabilities. The token contract address would be the msg.sender in such case(if the _token address was a 'malicious' contract address), but so what? I don't see any potential harm being done?
Am i mistaken?

address treasuryWallet = "0x...012323"; //some "safe address"
         function transferStuckTokens(address _token) external {
		require(msg.sender == tx.origin);
		uint256 tokenAmount = IERC20(_token).balanceOf(address(this));
		IERC20(_token).transfer(treasuryWallet, tokenAmount);
1 Like

Hey @justAsking
you don't need require(msg.sender == tx.origin) due to msg.sender is never used

Also, I can't see any issue even if someone put a malicious token address as input. Even if you receive those tokens (that must be in contract first) you can ignore them. It is the same if someone send a malicious token to you. Just ignore it or send to burn.

1 Like

Did this work for you? Looking for a token template that includes it.