emergencyWithdraw() sends funds to msg.sender which may not be the NFT owner
Summary
emergencyWithdraw() can be called by a whitelisted operator address in _unlockOperators, sending locked funds to them instead of the NFT owner.
Vulnerability Detail
_unlockOperators is a set of addresses that are allowed to forcibly unlock locked NFTs. In emergencyWithdraw(), this could be called by these operators, but the locked funds are transferred to the caller, which would be these operators, instead of the intended recipient, the NFT owner.
Lone Opaque Mustang
Low/Info
emergencyWithdraw()sends funds tomsg.senderwhich may not be the NFT ownerSummary
emergencyWithdraw()can be called by a whitelisted operator address in_unlockOperators, sending locked funds to them instead of the NFT owner.Vulnerability Detail
_unlockOperatorsis a set of addresses that are allowed to forcibly unlock locked NFTs. InemergencyWithdraw(), this could be called by these operators, but the locked funds are transferred to the caller, which would be these operators, instead of the intended recipient, the NFT owner.Impact
Fund transfer to incorrect recipient.
Code Snippet
https://github.com/sherlock-audit/2024-06-magicsea/blob/main/magicsea-staking/src/MlumStaking.sol#L559
Tool used
Manual Review
Recommendation
stakedTokenshould be transferred to the NFT owner.