Summary

the operation is not properly secured, and there are no checks to ensure the sender is authorized to perform this action or validate if the transferred funds were staked or deposited as required.

Vulnerability Details

TKN.transferFrom(msg.sender, address(this), _amount);, here the contract isn't using safeERC20. Some implementations of transfer and transferFrom could return ‘false’ on failure instead of reverting. It is safer to wrap such calls into require() statements or use safe wrapper functions implementing return value/data checks to handle these failures. For reference, https://consensys.net/diligence/audits/2020/09/aave-protocol-v2/#unhandled-return-values-of-transfer-and-transferfrom. Since there is no check for return status, the functions is moving forwarded to add balance for staking.

Impact

Attacker can steal WETH funds from the contract without fulfilling the staking requirements. the attacker can initiate unauthorized transfers and drain the staked funds.

Tools Used

Recommendations

Use safeERC20 or check balance of TKN after transferFrom