`claimFees()` function allows a user to claim WETH rewards from a vault they never staked in
The claimFees() function allows a user to claim WETH rewards from a vault by specifying a vaultId. However, there is no check to verify whether the caller is actually a staker in the specified vault. The function retrieves the actor’s reward using:
If a malicious user calls claimFees(vaultId) with an arbitrary vaultId, they can attempt to claim rewards from a vault they never staked in. While the function checks whether the actor has shares, some vaults may incorrectly track actor shares or have outdated data, potentially allowing unauthorized withdrawals if they improperly register shares.
Impact
An attacker could exploit faulty vault tracking mechanisms to claim WETH rewards from vaults they never contributed to, resulting in direct theft of staking rewards from legitimate stakers.
Mitigation
Enforce an explicit check ensuring the caller is an authorized staker in the vault before allowing withdrawals:
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.