Skip to content
This repository has been archived by the owner on Jan 12, 2025. It is now read-only.

t.aksoy - Invalid authorized check for staking tokens #122

Closed
sherlock-admin4 opened this issue Jul 15, 2024 · 0 comments
Closed

t.aksoy - Invalid authorized check for staking tokens #122

sherlock-admin4 opened this issue Jul 15, 2024 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A Medium severity issue. Reward A payout will be made for this issue

Comments

@sherlock-admin4
Copy link

sherlock-admin4 commented Jul 15, 2024
edited
Loading

t.aksoy

Medium

Invalid authorized check for staking tokens

Summary

The authorization check for operators or owners in the MlumStaking::addToPosition() function always returns true, allowing any user to access this function for any token ID.

Vulnerability Detail

The MlumStaking::addToPosition() function is intended to be callable only by the owner or operators. It includes a check using _requireOnlyOperatorOrOwnerOf(), which uses msg.sender as both the owner and spender. This logic flaw results in the check always returning true, therefore allowing any user to call addToPosition() for any token ID.

    function _requireOnlyOperatorOrOwnerOf(uint256 tokenId) internal view {
        // isApprovedOrOwner: caller has no rights on token
        require(ERC721Upgradeable._isAuthorized(msg.sender, msg.sender, tokenId), "FORBIDDEN");
    }

Impact

MlumStaking::addToPosition() can be called by any user to lock another users token further

Code Snippet

https://github.com/sherlock-audit/2024-06-magicsea/blob/42e799446595c542eff9519353d3becc50cdba63/magicsea-staking/src/MlumStaking.sol#L142

Tool used

Manual Review

Recommendation

Modify the check to use the actual token owner instead of msg.sender:

       require(ERC721Upgradeable._isAuthorized(owner, msg.sender, tokenId), "FORBIDDEN");

Duplicate of #378
@github-actions github-actions bot added duplicate Medium A Medium severity issue. labels Jul 21, 2024
@sherlock-admin4 sherlock-admin4 added the Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label label Jul 22, 2024
@sherlock-admin4 sherlock-admin4 changed the title Sour Sage Cougar - Invalid authorized check for staking tokens t.aksoy - Invalid authorized check for staking tokens Jul 29, 2024
@sherlock-admin4 sherlock-admin4 added the Reward A payout will be made for this issue label Jul 29, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A Medium severity issue. Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sherlock-admin4