currently withdrawals/redemption only require the caller to be the owner or approved for the erc20 share token
this is probably fine most of the time, as it is unusual for people to approve EOAs and trusted/trustworthy contracts are unlikely to try to do anything bad
to be more conservative though, we should require that third party withdrawals/redemptions are both approved for the erc20 shares and have operator status for the erc1155 receipts
this way, someone can approve a third party to handle shares without exposing their receipts to be burned
this is important because receipts are not all created equally, burning the correct receipt is very important and so has a higher burden of trust than simply moving shares around
thedavidmeister
commented
11 hours ago
currently withdrawals/redemption only require the caller to be the owner or approved for the erc20 share token
this is probably fine most of the time, as it is unusual for people to approve EOAs and trusted/trustworthy contracts are unlikely to try to do anything bad
to be more conservative though, we should require that third party withdrawals/redemptions are both approved for the erc20 shares and have operator status for the erc1155 receipts
this way, someone can approve a third party to handle shares without exposing their receipts to be burned
this is important because receipts are not all created equally, burning the correct receipt is very important and so has a higher burden of trust than simply moving shares around