Anyone can Withdraw staked tokens from an existing deposit on behalf of a user via `withdrawOnBehalf`

Summary

The withdrawOnBehalf function allows anyone to withdraw staked tokens on behalf of a user (_depositor) if they possess a valid _signature. However, the function lacks proper validation to restrict the caller (msg.sender) from initiating withdrawals unless they are authorized by the depositor. This creates a critical vulnerability as malicious actors can exploit valid signatures to withdraw funds from deposits without the user’s consent.

Vulnerability Detail

Impact

Anyone with access to a valid _signature can withdraw funds from deposits without the user’s consent.

Code Snippet

https://github.com/sherlock-audit/2024-11-tally/blob/main/staker/src/extensions/GovernanceStakerOnBehalf.sol#L218-L241

Tool used

Manual Review, Foundry

Recommendation

Only deposit.owner or deposit.claimer should be able to call withdrawOnBehalf

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

095.md

095.md

Anyone can Withdraw staked tokens from an existing deposit on behalf of a user via `withdrawOnBehalf`

Summary

Vulnerability Detail

Impact

Code Snippet

Tool used

Recommendation

Files

095.md

Latest commit

History

095.md

File metadata and controls

Anyone can Withdraw staked tokens from an existing deposit on behalf of a user via withdrawOnBehalf

Summary

Vulnerability Detail

Impact

Code Snippet

Tool used

Recommendation

Anyone can Withdraw staked tokens from an existing deposit on behalf of a user via `withdrawOnBehalf`