Although ordinary blockchains can be unbundled and the funds can be transferred to the account in real time, Aleo still needs to be operated again. However, all operations should be triggered by the user, and the assets should not be claimed for me without my confirmation. Or will there be a bot to actively claim the assets for the user in the future? If so, who will be responsible for the gas fee?
Code Snippet
Tool used
Manual Review
Recommendation
Check if the caller's address equals the staker's withdrawal address.
marco-storswift
Medium
Claim_unbond_public should be limited to caller' address
Summary
Claim_unbond_public should be limited to caller' address
Vulnerability Detail
Claim_unbond_public should be limited to caller' address, https://github.com/sherlock-audit/2024-05-aleo/blob/main/snarkVM/synthesizer/program/src/resources/credits.aleo#L676
Impact
Although ordinary blockchains can be unbundled and the funds can be transferred to the account in real time, Aleo still needs to be operated again. However, all operations should be triggered by the user, and the assets should not be claimed for me without my confirmation. Or will there be a bot to actively claim the assets for the user in the future? If so, who will be responsible for the gas fee?
Code Snippet
Tool used
Manual Review
Recommendation
Check if the caller's address equals the staker's withdrawal address.