Fixes a bug in transferAllocatedTokens that would allow anyone to claim pendingRewardFor tokens from other accounts.
allocated[msg.sender] -= amount was intended to prevent unauthorized callers, however this could be circumvented with an amount of 0. pendingRewardFor is then added to the amount, and so anyone could call to transfer this pending amount to anyone else.
The pending reward is typically dust (less than 1e18) however with boost delegation it also includes the received delegate fees, which could result in significant amounts.
We have fixed by moving if (amount > 0) to the first line within the function, so that it is impossible to circumvent the allocated check with an initial amount of zero. We choose this instead of a require statement to prevent breaking caller contracts that might not check for amount > 0 prior to calling.
Fixes a bug in
transferAllocatedTokensthat would allow anyone to claimpendingRewardFortokens from other accounts.allocated[msg.sender] -= amountwas intended to prevent unauthorized callers, however this could be circumvented with anamountof0.pendingRewardForis then added to the amount, and so anyone could call to transfer this pending amount to anyone else.The pending reward is typically dust (less than
1e18) however with boost delegation it also includes the received delegate fees, which could result in significant amounts.We have fixed by moving
if (amount > 0)to the first line within the function, so that it is impossible to circumvent theallocatedcheck with an initial amount of zero. We choose this instead of arequirestatement to prevent breaking caller contracts that might not check foramount > 0prior to calling.