Github username: --
Submission hash (on-chain): 0xa90c05833bbc1961003b8ea19c09812ee8bdcb7180080e99438c1d6872c4261d
Severity: high
Description:Description\
Anyone can call batchCancelDepositAsBnftHolder on behalf of other user
Attack Scenario\
The function batchCancelDepositAsBnftHolder is taking an address as an input and that address is the address of caller so anyone can input someone else address and _validatorIds and can cancel on behalf of someone else.
If you see the function batchCancelDeposit then instead of taking the address of caller it is using msg.sender which is a good way but taking the input is very dangerous as anyone can pu someone else addres
Github username: -- Submission hash (on-chain): 0xa90c05833bbc1961003b8ea19c09812ee8bdcb7180080e99438c1d6872c4261d Severity: high
Description: Description\ Anyone can call
batchCancelDepositAsBnftHolder
on behalf of other userAttack Scenario\ The function
batchCancelDepositAsBnftHolder
is taking an address as an input and that address is the address ofcaller
so anyone can input someone else address and_validatorIds
and can cancel on behalf of someone else.If you see the function
batchCancelDeposit
then instead of taking the address ofcaller
it is usingmsg.sender
which is a good way but taking the input is very dangerous as anyone can pu someone else addresAttachments https://github.com/GadzeFinance/dappContracts/blob/180c708dc7cb3214d68ea9726f1999f67c3551c9/src/StakingManager.sol#L210-L225
Recommendation
it is recommended to use
msg.sender
instead of taking input from user