Summary

A vulnerability was identified in the FjordStaking::_unstakeVested function, where the use of the ERC20 transferFrom method allows for an arbitrary address to be specified as the from parameter. This could lead to unauthorized token transfers resulting in potential financial loss for token owners. Additionally, transferring tokens to a payable address using transfer or transferFrom functions from ERC20 contracts can result in the loss of tokens if the destination contract does not handle such transfers properly.

Vulnerability Details

By allowing an arbitrary address to be used as the from parameter in the transferFrom function, any user could potentially transfer tokens from another user's account without proper authorization. This significant oversight can lead to unauthorized access and transfer of tokens, causing financial loss to token owners. Specifically, the vulnerability is found in line 558 of FjordStaking.sol, where the ERC20 transferFrom method does not pass msg.sender as the from parameter. Instead, the from parameter can be any address, increasing the risk of unauthorized token transfers.

Moreover, transferring tokens to a payable address using transfer or transferFrom can be problematic as these functions are not aware of the payable status of the address. Payable addresses, typically contracts expecting Ether, might have a receive or fallback function to handle incoming transactions. When ERC20 tokens are sent to these addresses, such functions are not triggered, potentially leading to a loss of tokens if the contract lacks a retrieval mechanism.

Impact

The primary impact of this vulnerability is the potential for unauthorized token transfers from a user's account, which could result in a substantial loss of funds for the token owner. Additionally, transferring tokens to a payable address using transfer or transferFrom may lead to the accidental loss of tokens if the receiving contract cannot handle the token transfer, further compounding the potential financial los

Tools Used

Manual code review

Recommendations

• Restrict the from Parameter: Ensure that the transferFrom function in FjordStaking always uses msg.sender as the from parameter to prevent unauthorized transfers.

• Handle Payable Address Transfers: Avoid using transfer or transferFrom for transferring tokens to payable addresses and instead use the call{value: x}("") pattern when dealing with Ether transfers to ensure the receiving contract can manage the funds correctly.

• Implement Authorization Checks: Always validate that the sender has the necessary permissions to execute the token transfer on behalf of the from address.