function subscribe does not verify the owner of the position so anyone can re-stake any positions to different incentives. This doesn't create any harm for the user as they can stake one position into as many incentives as they want but still I think this should be left for the user's responsibility.
Recommended Mitigation Steps
Consider adding auth to function subscribe to verify the sender.
alcueca
commented
2 years ago
Handle
pauliax
Vulnerability details
Impact
function subscribe does not verify the owner of the position so anyone can re-stake any positions to different incentives. This doesn't create any harm for the user as they can stake one position into as many incentives as they want but still I think this should be left for the user's responsibility.
Recommended Mitigation Steps
Consider adding auth to function subscribe to verify the sender.