Liquid Staking
Stakelink
DeFiHardhatOracle
50,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Unrestricted onTokenTransfer Function in OperatorVCS

xidik

Summary

The onTokenTransfer function in OperatorVCS can be called by any contract, but it only checks if msg.sender is stakingPool. If another contract sends tokens to OperatorVCS, this function might be called unexpectedly, leading to unintended behavior.

Vulnerability Details

function onTokenTransfer(address, uint256, bytes calldata) external {
if (msg.sender != address(stakingPool)) revert UnauthorizedToken();
}

While it checks msg.sender, there may be scenarios where unintended tokens or contracts interact with this function.

Impact

  • Unexpected Behavior: The function may be triggered unexpectedly, potentially causing issues.

  • Security Risks: Future changes to the function may introduce vulnerabilities if not properly secured.

Tools Used

Manual code review.

Recommendations

  • Additional Verification:

    • Confirm that the token being transferred is the expected token by checking msg.sender and token address.

  • Restrict Access:

    • Use modifiers or additional checks to restrict access to the function.

  • Event Emission:

    • Emit events when tokens are received to facilitate monitoring.

  • Documentation:

    • Clearly document the intended use of the function and any assumptions.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.