function subscribe does not verify the owner of the position so anyone can re-stake any positions to different incentives. This doesn't create any harm for the user as they can stake one position into as many incentives as they want but still I think this should be left for the user's responsibility.
Recommended Mitigation Steps
Consider adding auth to function subscribe to verify the sender.
Handle
pauliax
Vulnerability details
Impact
function subscribe does not verify the owner of the position so anyone can re-stake any positions to different incentives. This doesn't create any harm for the user as they can stake one position into as many incentives as they want but still I think this should be left for the user's responsibility.
Recommended Mitigation Steps
Consider adding auth to function subscribe to verify the sender.