Real Glossy Rhino - Anyone can Claim reward On Behalf of depositor or claimer via claimRewardOnBehalf
#92
Labels
Won't Fix
The sponsor confirmed this issue will not be fixed
Comments
sherlock-admin3
added
the
Won't Fix
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Real Glossy Rhino
Medium
Anyone can Claim reward On Behalf of depositor or claimer via
claimRewardOnBehalfSummary
The
claimRewardOnBehalffunction in the contract allows anyone to claim rewards on behalf of a deposit owner or claimer if they possess a valid_signature. However, there are no restrictions requiring the caller of the function to match thedeposit.ownerordeposit.claimer. This creates a significant vulnerability, as anyone with access to a valid _signature can claim rewards without beingdeposit.ownerordeposit.claimer.Vulnerability Detail
Impact
Anyone with access to a valid _signature can claim rewards without being the deposit owner or claimer.
Code Snippet
https://github.com/sherlock-audit/2024-11-tally/blob/main/staker/src/extensions/GovernanceStakerOnBehalf.sol#L250-L274
Tool used
Manual Review, Foundry
Recommendation
Only
deposit.ownerordeposit.claimershould be able to callclaimRewardOnBehalfThe text was updated successfully, but these errors were encountered: