search

sherlock-audit / 2024-05-aleo-judging

0 stars 0 forks source link

coder-lb - The unbond_public caller should support the delegator address #11

Closed sherlock-admin4 closed 1 week ago

sherlock-admin4 commented 2 weeks ago

coder-lb

Medium

The unbond_public caller should support the delegator address

Summary

The unbond_public caller should support the delegator address

Vulnerability Detail

In https://github.com/sherlock-audit/2024-05-aleo/blob/main/snarkVM/synthesizer/program/src/resources/credits.aleo#L450 it just supports the staker's withdrawal address. As the actual controller of the staker, the delegator should have the authority to operate the assets. For the sake of daily operation and maintenance security, the withdrawal address is usually a cold wallet address, and this address should not be used frequently. We should support the delegator as the initiator of unbonding, and the staked assets will be still withdrawn to the withdrawal address, which is the address set at the time of staking.

Impact

Ensure the security of the withdrawal address and protect the security of user assets.

Code Snippet

/* Check Caller's Permission */

// Get the staker's withdrawal address.
get withdraw[r1] into r6;
// Check if the caller's address equals the staker's withdrawal address.
is.eq r0 r6 into r7;

Tool used

Manual Review

Recommendation

The unbond_public caller should support the delegator address.