Open hats-bug-reporter[bot] opened 5 months ago
This would allow approved addresses to steal rewards inside the reward distributor and also allow them to brick their owner, since they can front-run him and transfer the NFT out when he tries to claim rewards. Also I see no economic gain in allowing allowees to interact from the name of the owner. Too many trust-assumption risks.
Github username: @0xumarkhatab Twitter username: 0xumarkhatab Submission hash (on-chain): 0x2a136b898d08571e19603ff3835c8f2a934a3a8945d8e7f706967adb20f8f237 Severity: high
Description: Description\ Most functions inside the staking contracts requires the receiver or
msg.sender
to be thestrict owner
of the token they are using. However , this functionality should also be available forapproved addresses
of those token owners.Attack Scenario\ Let's take a look at the following code snippets
stakingPositionService#deposit
stakingServiceBase
stakingPositionManager contract
we can see that the stakingPositionManager's compliance check functions are underlying core functions of the major staking operations of deposit and claim of staking .
However we take a closer look at the code , the code only executes if the executor is the owner of token id . it will revert even if the executor is the approved user of the token owner.
as stated , the receiver parameter is not something that is taken from the user upon function invocation , rather its' called with
msg.sender is the receiver param
which effectively only allows the token owner to manage their investment.Attachments N/A
However , The current implementation is not practical in real world. In real world , The wealthy owners don't have enough time to do everything on their own.
There is this wealthy investor/Token owner, the will hire bunch of traders or account managers who will manage their assets for them ( the token owner approving them of their tokens instead of just giving away their private keys )
Now this is the case for majority of the token holders that they have approved addresses that take part in portfolio management and investment decisions .
However , the staking functionality does not serve that majority of the crypto holders to take part and eventually lose a lot of share that it could process by allowing the token approved addresses
The code should check if the user is either approved address of the token Owner or the token owner itself. In both cases , the transaction should succeed. This will ensure that the staing functionality is available for 60% users that might not have been able to use te previous implementation due to strict ownership checks and owners not having enough time to do everything on their own.