Description:
According to the Steaking Docs. The role of the steak protocol team multisig
who is basically the owner
of the steaking
contract are only responsible for setting the vault address after the staking period ends. But then in the stake
function it does not restrict the owner
from staking ETH.
Impact:
The owner can potentially stake ETH, which could lead to conflicts of interest or unintended manipulation of the staking process, affecting the fairness and transparency of the protocol.
Recommended Mitigation:
Add a check in the stake
function to ensure that the owner
cannot stake ETH. This can be done by asserting that msg.sender
is not the owner
before proceeding with the staking logic.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.