Lack of Approval Check in Stake Function Allows Unauthorized Token Transfers
Summary
The Distribution.sol:_Stake function in the smart contract allows users to deposit tokens directly to the contract without explicitly checking if the sender has approved the contract to spend tokens on their behalf.
Vulnerability Details
Missing Approval Check:
The Distribution.sol:_Stake function does not include a check to ensure that the sender has approved the contract to spend tokens on their behalf before initiating the transfer.
Without this approval check, users can unintentionally or maliciously send tokens to the contract, leading to a loss of tokens for
the sender.
Impact
The vulnerability can result in a loss of tokens for users who inadvertently send tokens to the contract without proper approval.
Malicious contracts or actors could exploit this vulnerability to drain tokens from unsuspecting users' accounts.
Tools Used
Manual Review
Recommendations
Modify the stake function to include a check to ensure that the sender has approved the contract to spend tokens on their behalf before transferring tokens. This can be done using the allowance mechanism provided by ERC-20 tokens.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.