Open sherlock-admin3 opened 1 month ago
Due to conflicting checks in the harvestPositionsTo()
function, authorized addresses are prevented from harvesting on behalf of the NFT owner.
This was fixed during an other audit. add code comment to show the fix in the PR
The protocol team fixed this issue in the following PRs/commits: https://github.com/metropolis-exchange/magicsea-staking/pull/23
The Lead Senior Watson signed off on the fix.
minhquanym
Medium
Inconsistent check in
harvestPositionsTo()
functionSummary
Inconsistent check in
harvestPositionsTo()
function limits the ability of approved address to harvest on behalf of owner.Vulnerability Detail
In the function
harvestPositionsTo()
, function_requireOnlyApprovedOrOwnerOf()
allows owner or approved address to harvest for the position.However, the check
(msg.sender == tokenOwner && msg.sender == to)
only allowing the caller to be token owner. Thus these 2 checks are contradicted.Impact
Contradictions in the function
harvestPositionsTo()
. Approved address cannot callharvestPositionsTo()
on behalf of NFT owner.Code Snippet
https://github.com/sherlock-audit/2024-06-magicsea/blob/main/magicsea-staking/src/MlumStaking.sol#L475-L484
Tool used
Manual Review
Recommendation
The intended check in function
harvestPositionsTo()
might be, changing&&
to||