Claim SHER on behalf of others

[code423n4]

Handle

pauliax

Vulnerability details

Impact

In SherClaim consider letting claim SHER tokens on behalf of other users. function add does not have any restrictions on the caller, thus anyone can increase the userClaims of any _user. On the other hand, the claim function only allows msg.sender to withdraw userClaims. If the _user is a smart contract that does not implement the claim functionality, their SHER tokens will be left stuck in the contract. While I expect this is not very likely to happen, I see no harm if you add a claim function with a _user parameter so anyone can help others to claim.

Also, I think it would be nice if ISherClaim interface contained function claim() so that integrators can copy the interface if necessary.

One more thing, you can consider adding a token sweep function to this contract also, and introduce a claim deadline, so an admin can rescue unclaimed or accidentally sent tokens later. But it depends on the intentions, maybe you do not want to enforce users and are okay if some SHER will be left there forever.

Recommended Mitigation Steps

An example implementation:

  function claim(address _user) external {
    // Only allow claim calls if claim period is active
    if (active() == false) revert InvalidState();

    // How much SHER the user will receive
    uint256 amount = userClaims[_user];
    // Dont proceed if it's 0 SHER
    if (amount == 0) revert InvalidAmount();
    // If it is not 0, make sure it's 0 next time the user calls this function
    delete userClaims[_user];

    // Transfer SHER to user
    sher.safeTransfer(_user, amount);

    // Emit event about the SHER claim
    emit Claim(msg.sender, _user, amount);
  }

[Evert0x]

Informational

[jack-the-pug]

A enhancement, not an issue.