Closed sherlock-admin closed 7 months ago
1 comment(s) were left on this issue during the judging contest.
takarez commented:
invalid: msg.sender is in place at line 593 to ensure its the validator.
Invalid, msg.sender
is used to retrieve staking information, so user cannot arbitrarily claim other stakers rewards.
emrekocak
high
Anyone can redeem any delegator's or validator's reward
Summary
There is no beneficiary address check in the
_redeemRewards
function makes all rewards accessible for anyone.Vulnerability Detail
Attackers can call the
redeemAllRewards
orredeemRewards
function and specify their address as the beneficiary address, with any validatorId. There are no restrictions on the beneficiary address, which means that anyone could potentially steal all of the rewards.Impact
Anyone can redeem any delegator's or validator's reward.
Code Snippet
https://github.com/sherlock-audit/2023-11-covalent/blob/main/cqt-staking/contracts/OperationalStaking.sol#L589-L635 https://github.com/sherlock-audit/2023-11-covalent/blob/main/cqt-staking/contracts/OperationalStaking.sol#L577-L579 https://github.com/sherlock-audit/2023-11-covalent/blob/main/cqt-staking/contracts/OperationalStaking.sol#L584-L587
Tool used
Manual Review
Recommendation
Add this line like in the function
redeemCommission
.