Everyone can add an additional amount to an existing staking position
Summary
Everyone can add an additional amount to an existing staking position.
Vulnerability Detail
To add an additional amount to an existing staking position through the addToPosition function, the caller must be the owner of the position. This check is done through the _requireOnlyOperatorOrOwnerOf modifier.
The _requireOnlyOperatorOrOwnerOf modifier always passes because the msg.sender is set as the owner and spender of the tokenId before calling the _isAuthorized function. The required checks in the _isAuthorized function are that spender != address(0) and owner == spender, which are always true.
function _requireOnlyOperatorOrOwnerOf(uint256 tokenId) internal view {
//@audit-issue H this is always true because:
/* return
spender != address(0) &&
(owner == spender || isApprovedForAll(owner, spender) || _getApproved(tokenId) == spender);
*/
//@audit-info here owner == spender == msg.sender
// isApprovedOrOwner: caller has no rights on token
require(ERC721Upgradeable._isAuthorized(msg.sender, msg.sender, tokenId), "FORBIDDEN");
}
The _requireOnlyOperatorOrOwnerOf modifier does not prevent the addToPosition function from being called by another user. This can be problematic because, by design, only the owner or operator of the tokenId should be able to add an additional amount to the staking position and update the lockDuration and startLockTime.
gkrastenov
High
Everyone can add an additional amount to an existing staking position
Summary
Everyone can add an additional amount to an existing staking position.
Vulnerability Detail
To add an additional amount to an existing staking position through the
addToPosition function
, the caller must be the owner of the position. This check is done through the_requireOnlyOperatorOrOwnerOf
modifier.The
_requireOnlyOperatorOrOwnerOf
modifier always passes because themsg.sender
is set as the owner and spender of thetokenId
before calling the_isAuthorized
function. The required checks in the_isAuthorized
function are thatspender != address(0)
andowner == spender
, which are always true.The
_requireOnlyOperatorOrOwnerOf
modifier does not prevent theaddToPosition
function from being called by another user. This can be problematic because, by design, only theowner
oroperator
of thetokenId
should be able to add an additional amount to the staking position and update thelockDuration
andstartLockTime
.Impact
The
lockDuration
andstartLockTime
will be updated, which may not be desired by the owner and can affect the staking.Code Snippet
https://github.com/sherlock-audit/2024-06-magicsea/blob/main/magicsea-staking/src/MlumStaking.sol#L142
Tool used
Manual Review
Recommendation
Make the following changes:
Duplicate of #378