The unbond_public caller should support the delegator address
Summary
The unbond_public caller should support the delegator address
Vulnerability Detail
In https://github.com/sherlock-audit/2024-05-aleo/blob/main/snarkVM/synthesizer/program/src/resources/credits.aleo#L450 it just supports the staker's withdrawal address. As the actual controller of the staker, the delegator should have the authority to operate the assets. For the sake of daily operation and maintenance security, the withdrawal address is usually a cold wallet address, and this address should not be used frequently. We should support the delegator as the initiator of unbonding, and the staked assets will be still withdrawn to the withdrawal address, which is the address set at the time of staking.
Impact
Ensure the security of the withdrawal address and protect the security of user assets.
Code Snippet
/* Check Caller's Permission */
// Get the staker's withdrawal address.
get withdraw[r1] into r6;
// Check if the caller's address equals the staker's withdrawal address.
is.eq r0 r6 into r7;
Tool used
Manual Review
Recommendation
The unbond_public caller should support the delegator address.
coder-lb
Medium
The unbond_public caller should support the delegator address
Summary
The unbond_public caller should support the delegator address
Vulnerability Detail
In https://github.com/sherlock-audit/2024-05-aleo/blob/main/snarkVM/synthesizer/program/src/resources/credits.aleo#L450 it just supports the staker's withdrawal address. As the actual controller of the staker, the delegator should have the authority to operate the assets. For the sake of daily operation and maintenance security, the withdrawal address is usually a cold wallet address, and this address should not be used frequently. We should support the delegator as the initiator of unbonding, and the staked assets will be still withdrawn to the withdrawal address, which is the address set at the time of staking.
Impact
Ensure the security of the withdrawal address and protect the security of user assets.
Code Snippet
Tool used
Manual Review
Recommendation
The unbond_public caller should support the delegator address.