allowList check the token balance before the user stake, is presumably used to limit the amount of stakeToken staking, but this limit can be bypassed.
Vulnerability Detail
function isAllowed(address user_, bytes calldata proof_) external view override returns (bool) {
// External proof data isn't needed for this implementation
// Get the allowlist token and balance threshold for the sender contract
TokenCheck memory check = checks[msg.sender];
// Return whether or not the user passes the balance threshold check
return check.token.balanceOf(user_) >= uint256(check.threshold);
}
For stakeToken, user only need to leave threshold - 1 balance and then call stake multiple times to bypass the restriction
For other tokens, user can create multiple account to stake.
kutugu
medium
Users can bypass allowList
Summary
allowList check the token balance before the user stake, is presumably used to limit the amount of stakeToken staking, but this limit can be bypassed.
Vulnerability Detail
For stakeToken, user only need to leave
threshold - 1balance and then call stake multiple times to bypass the restriction For other tokens, user can create multiple account to stake.Impact
Users can bypass allowList, which seems not work.
Code Snippet
Tool used
Manual Review
Recommendation
Consider optimizing allowList, use internal accounting