Github username: --
Submission hash (on-chain): 0xa90c05833bbc1961003b8ea19c09812ee8bdcb7180080e99438c1d6872c4261d
Severity: high
Description:Description\
Anyone can call batchCancelDepositAsBnftHolder on behalf of other user
Attack Scenario\
The function batchCancelDepositAsBnftHolder is taking an address as an input and that address is the address of caller so anyone can input someone else address and _validatorIds and can cancel on behalf of someone else.
If you see the function batchCancelDeposit then instead of taking the address of caller it is using msg.sender which is a good way but taking the input is very dangerous as anyone can pu someone else addres
seongyun-ko
commented
11 months ago
Github username: -- Submission hash (on-chain): 0xa90c05833bbc1961003b8ea19c09812ee8bdcb7180080e99438c1d6872c4261d Severity: high
Description: Description\ Anyone can call
batchCancelDepositAsBnftHolderon behalf of other userAttack Scenario\ The function
batchCancelDepositAsBnftHolderis taking an address as an input and that address is the address ofcallerso anyone can input someone else address and_validatorIdsand can cancel on behalf of someone else.If you see the function
batchCancelDepositthen instead of taking the address ofcallerit is usingmsg.senderwhich is a good way but taking the input is very dangerous as anyone can pu someone else addresAttachments https://github.com/GadzeFinance/dappContracts/blob/180c708dc7cb3214d68ea9726f1999f67c3551c9/src/StakingManager.sol#L210-L225
Recommendation
it is recommended to use
msg.senderinstead of taking input from user