Summary

The smart contract exhibits a vulnerability related to the arbitrary from address being passed to the transferFrom operation in the stake function. This vulnerability can potentially lead to a loss of funds if an attacker manipulates the from address and makes an approval, enabling unauthorized transfers of tokens.

Vulnerability Details

In the Distribution contract, specifically in the _stake function, tokens are transferred from the user's address to the contract address using IERC20(depositToken).safeTransferFrom(msgSender(), address(this), amount). The vulnerability arises if users fail to explicitly approve the contract to spend tokens on their behalf before calling the stake function.

Impact

an attacker could exploit the lack of approval checks and potentially transfer tokens from any address that has made an approval to the contract.

Tools Used

Manual Review

Recommendations

Implement Approval Checks:

Ensure that users explicitly approve the contract to spend tokens on their behalf before calling the stake function. This can be achieved by having users call the approve function on the ERC-20 token contract.

 IERC20(depositToken).approve(addressOfYourContract, amount_);

Check Allowance in _stake:

Add a check within the _stake function to verify that the allowance is sufficient before transferring tokens.

require(IERC20(depositToken).allowance(_msgSender(), address(this)) >= amount_, "DS: insufficient allowance");