MlumStaking::harvestPositionsTo can only be called by the token owner
Summary
MlumStaking::harvestPositionsTo is intended to do (as per code comments)
` /**
@dev Harvest from multiple staking positions to "to" address
Can only be called by lsNFT's owner or approved address
*/
`
But cannot be called by anyone else but the owner of the token.
Vulnerability Detail
When calling MlumStaking::harvestPositionsTo the first authentication is _requireOnlyApprovedOrOwnerOf(tokenId) which passes if the caller is the owner or someone who has been approved aligning with the purpose of the harvestPositionsTo function. But the second check which is
Bitter Seaweed Eagle
Low/Info
MlumStaking::harvestPositionsTo
can only be called by the token ownerSummary
MlumStaking::harvestPositionsTo
is intended to do (as per code comments) ` /**Vulnerability Detail
When calling
MlumStaking::harvestPositionsTo
the first authentication is_requireOnlyApprovedOrOwnerOf(tokenId)
which passes if the caller is the owner or someone who has been approved aligning with the purpose of theharvestPositionsTo
function. But the second check which iswill not pass if the caller is an approved address, making the function unable to be called from an approved address.
Impact
Broken assumptions of a function. POC
Code Snippet
https://github.com/sherlock-audit/2024-06-magicsea/blob/main/magicsea-staking/src/MlumStaking.sol#L470-L489
Tool used
Manual Review VSCode Foundry
Recommendation
Remove the require statement as all of the checks necessary have been done by
_requireOnlyApprovedOrOwnerOf(tokenId);