Open florian-bellotti opened 1 week ago
@nagmo-starkware
first, we are planning to change this for another reason (it can be an opening for phishing attacks). however, I'm not sure I understand:
get_caller_address()
solves the problem.When interacting with a contract like an LST (Liquid Staking Token), the process works as follows: The user sends a transaction to mint tokens. The LST contract then interacts with the delegation pool. In this case, the staker should be the LST contract, not the user who initiated the transaction.
For another scenario, if the user interacts directly with the delegation pool contract while using a paymaster service, the sender is not the user but the paymaster relayer. Here, the paymaster relayer should not be treated as the staker.
Using account_contract_address
, which returns the sender's address, instead of get_caller_address
, which returns the actual caller's address, can be dangerous and may introduce vulnerabilities.
got it. but both of your examples are of smart contracts interacting with the pool contract where we don't have such checks. do you have a case where the initiator of the tx is not the staker while actually calling the staking contract?
Yes, if the user interacts directly with the staking contract while using a paymaster service, the sender is not the user but the paymaster relayer. Here, the paymaster relayer should not be treated as the staker.
And when initiating an LST contract, the LST will have to call the Staking contract to deploy the delegation pool. The sender will be the LST owner, but the staker should be the LST.
Description In the
stake
function of theStaking
contract, the current logic usesget_tx_info().account_contract_address
to retrieve the address of the staker. However, the account contract from which a transaction originates is not necessarily the staker, which may lead to incorrect behavior.Suggested Solution Instead of relying on
account_contract_address
, it would be more appropriate to useget_caller_address()
orget_execution_info().caller_address
to retrieve the address of the staker.