Real Glossy Rhino - Anyone can Withdraw staked tokens from an existing deposit on behalf of a user via withdrawOnBehalf
#95
Labels
Won't Fix
The sponsor confirmed this issue will not be fixed
Comments
sherlock-admin3
added
the
Won't Fix
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Real Glossy Rhino
Medium
Anyone can Withdraw staked tokens from an existing deposit on behalf of a user via
withdrawOnBehalfSummary
The
withdrawOnBehalffunction allows anyone to withdraw staked tokens on behalf of a user (_depositor) if they possess a valid_signature. However, the function lacks proper validation to restrict the caller (msg.sender) from initiating withdrawals unless they are authorized by the depositor. This creates a critical vulnerability as malicious actors can exploit valid signatures to withdraw funds from deposits without the user’s consent.Vulnerability Detail
Impact
Anyone with access to a valid _signature can withdraw funds from deposits without the user’s consent.
Code Snippet
https://github.com/sherlock-audit/2024-11-tally/blob/main/staker/src/extensions/GovernanceStakerOnBehalf.sol#L218-L241
Tool used
Manual Review, Foundry
Recommendation
Only
deposit.ownerordeposit.claimershould be able to callwithdrawOnBehalfThe text was updated successfully, but these errors were encountered: