Fixes a bug in transferAllocatedTokens that would allow anyone to claim pendingRewardFor tokens from other accounts.
allocated[msg.sender] -= amount was intended to prevent unauthorized callers, however this could be circumvented with an amount of 0. pendingRewardFor is then added to the amount, and so anyone could call to transfer this pending amount to anyone else.
The pending reward is typically dust (less than 1e18) however with boost delegation it also includes the received delegate fees, which could result in significant amounts.
We have fixed by moving if (amount > 0) to the first line within the function, so that it is impossible to circumvent the allocated check with an initial amount of zero. We choose this instead of a require statement to prevent breaking caller contracts that might not check for amount > 0 prior to calling.
Fixes a bug in
transferAllocatedTokens
that would allow anyone to claimpendingRewardFor
tokens from other accounts.allocated[msg.sender] -= amount
was intended to prevent unauthorized callers, however this could be circumvented with anamount
of0
.pendingRewardFor
is then added to the amount, and so anyone could call to transfer this pending amount to anyone else.The pending reward is typically dust (less than
1e18
) however with boost delegation it also includes the received delegate fees, which could result in significant amounts.We have fixed by moving
if (amount > 0)
to the first line within the function, so that it is impossible to circumvent theallocated
check with an initial amount of zero. We choose this instead of arequire
statement to prevent breaking caller contracts that might not check foramount > 0
prior to calling.