Do not allow users to self delegate tokens inside the staking contract

near-daos / sputnik-dao-contract

Smart contracts for https://app.astrodao.com

https://astrodao.com/

MIT License

107 stars 76 forks source link

Do not allow users to self delegate tokens inside the staking contract #155

Closed ctindogaru closed 2 years ago

ctindogaru commented 2 years ago

Issue reported by Halborn during the audit.

Full description: The delegate() function in sputnik-staking/lib.rs does not check if sender_id == account_id; as a result, the function caller can delegate votes to itself.

TrevorJTClarke commented 2 years ago

@ctindogaru In fact this is not a bug - you should be able to stake your tokens, delegate to yourself, so you can vote with the weight you carry based on your staked tokens. I believe the audit didn't understand this use case.

ctindogaru commented 2 years ago

Closing this as self-delegation is a normal process and should not be forbidden.